Robust cybersecurity is essential for any business. A breach can have fatal consequences for an organisation’s finances, operational capabilities and reputation, and the challenge becomes tougher each year as cyber threats become ever more sophisticated.
Today’s attacks are smart, adaptive, and tailored to exploit even the most minute vulnerabilities that exist in a business’s IT systems and cybersecurity solutions. Undoubtedly, 2024 will see threats evolve further still, and the pace at which the threats advance will only increase.
The question, then, is whether businesses are deploying solutions capable of protecting them against the latest (and next) generation of cyber threats.
To get the answer, IDEE recently commissioned a survey of 501 cybersecurity professionals in UK businesses. Worryingly, the findings reveal an ugly truth – that, while most organisations are aware of the shortcomings of their cybersecurity solutions, too little is being done to address them.
MFA adopted widely, but confidence in it remains low
According to IDEE’s survey, almost all (95%) respondents said that their business uses multi-factor authentication (MFA) in some capacity, requiring users to provide more than one form of identification when accessing their work account or company’s IT systems.
Yet, despite MFA being almost ubiquitous within UK companies, the research shows that not only is it often ineffective, but cybersecurity professionals know it is. IDEE’s survey found that just two in five (40%) businesses deployed MFA because they deem it to be the most secure solution for their systems and data. Moreover, one in two (50%) IT leaders damned their MFA solution with faint praise by describing it as only ‘somewhat effective’ against cyberattacks.
Cybersecurity decision-makers know that their business does not have a solution in place that can guard against the most sophisticated forms of attack. This trend is substantiated by the responses of tech leaders when asked to specify the types of attacks their MFA systems mitigate. Only 35% said that their solution offered protection against the use of weak passwords. Meanwhile, even fewer (34%) claimed their MFA could defend against credential phishing attacks.
This, in all honesty, defies logic. After all, of those businesses that admitted to having suffered an attack in the past 12 months (some 53%, by the way), over a third (35%) said the cause of the breach was stolen credentials.
What are the dangers of a relaxed approach to cybersecurity?
Businesses are experiencing breaches, and cyber experts describe their solutions as only ‘somewhat ineffective’, knowing as they do that their MFA cannot guarantee safety from some of the most common forms of cyberattack. Why, therefore, is more not being done to rectify this situation?
To my mind, these figures could suggest that IT leaders perceive cyberattacks as an inevitability, adopting a negative mindset and deploying an accepted best-in-class solution (MFA) without truly considering its efficacy against the methods today’s attackers are using. Needless to say, this approach is extremely dangerous.
One of the most obvious dangers is the financial cost of a cyber breach. For context, according to IBM’s latest Cost of Data Breach Report, the loss caused by a cyberattack in the UK hit an average of £3.4 m in 2023 – a figure that has risen by 9% since 2020. This loss occurs from a variety of factors, such as compensation for affected customers, an investigation into the breach, and penalties that can be incurred for failing to meet GDPR.
Further losses can be suffered because of operational downtime caused by a breach, as employees are often unable to access the systems or data they need to fulfil their roles, resulting in a loss in productivity and potential revenue. In December 2022, for example, a ransomware attack at the Guardian meant that staff were forced to work remotely to contain the breach.
Elsewhere, reputational damage, while harder to quantify, is undoubtedly another important consideration. According to figures from 2020, for instance, 34% of UK businesses suffered a damaged reputation following a data breach, while 33% lost customers.
Adapting your organisation’s approach to cybersecurity for the year ahead
With the start of a new year comes the chance to take a new approach to managing a business’s cybersecurity, and it is vital that IT and cybersecurity decision-makers take the opportunity to enhance their organisation’s defences if they are to stay ahead of increasingly sophisticated attackers in 2024.
One of the biggest things that is holding businesses back from being proactive is that they place too much emphasis on detecting cyberattacks, and do not spend enough time researching and implementing systems that work instead to prevent them. In turn, the negative mindset that attacks are inevitable gets recycled, and organisations remain stuck in a cycle of attack and defence.
To break free from this cycle, businesses have to implement a multi-layered approach that makes it extremely difficult for cybercriminals to bypass and impersonate users. This is particularly important at present. With many businesses still allowing their staff to take advantage of hybrid or remote working, organisations are utilising decentralised IT systems, making user impersonation a key threat to their accounts and data.
Mitigating this threat relies on concepts like transitive trust and identity proofing, which ensure that a transaction is carried out on a trusted service, tied to a trusted device, and coupled to a specific user under the user’s total control. Only then can organisations enhance their cybersecurity and protect themselves against the increasingly sophisticated forms of attack that will continue to impact the world of business in the months and years to come.
Looking ahead to 2024 and beyond, in the ever-evolving cybersecurity landscape, businesses must recommit to taking a preventative approach to cybersecurity to ensure the resilience and security of their organisation’s systems and data. Do not remain fixated on detection – prevention is everything, and businesses have to put solutions in place that are not merely ‘somewhat effective’ but absolutely effective in forestalling today’s cyber threats.