Report: IoT, ransomware concerns grow as cyber skills gap persists


Government and commercial enterprises are increasingly concerned about internet of things (IoT) vulnerabilities and the threat of ransomware as institutions across industries struggle to find enough cybersecurity talent, a survey of cybersecurity professionals found.

The information security professional organization ISACA released the findings in part two of its annual report, “State of Cyber Security 2017: Current Trends in the Threat Landscape.” The report is based on a survey of cybersecurity managers and practitioners on security trends such as staffing, budget allocation, the threat environment and controls and countermeasures.

The survey results for this year “bolster the belief that the field of cybersecurity remains dynamic and turbulent,” the report’s authors note. “Weekly news headlines confirm that cyberattacks are not a seasonal threat or dependent on specific industry environmental attributes, but are constant and should remain forefront in every enterprise executive’s thought process.”

Topping that list of attacks is ransomware. According to survey respondents, more than three-quarters (78 percent) experienced cyberattacks that included some type of malicious code, with 62 percent involving ransomware in 2016. Only a little more than half (53 percent) of the surveyed professionals’ organizations have a formal process to respond to ransomware attacks.

This statistic is concerning given that the three most represented industries in the survey (technology services/consulting, financial/banking and government) are generally regarded as employing the largest number of cybersecurity professionals. The maturity of incident response in sectors that employ fewer security professionals – such as manufacturing, health care and education – may be worse than reflected in ISACA’s survey results.

Overall, threat actors’ favorite attack vectors continue to be phishing (40 percent), malware (37 percent) and social engineering (29 percent) – all of which are usually involved in a ransomware attack.

Meanwhile, survey results indicated that concerns about mobile security fell slightly in 2016. Exploitation via loss of a mobile device dropped from 25 percent to 13 percent year over year. This may be due to the increased use of encryption on mobile devices, the report noted.

While mobile security improved, concerns about the insecurity of IoT rose, from 53 percent to 59 percent year over year.

The second part of the “State of Security” report continued to emphasize what the first part, published earlier this year, uncovered: The persistent challenge of finding, hiring, training and retaining skilled cybersecurity talent.

Specifically, one-third of survey respondents reported they receive more than 10 applications per open position, but only half of applicants are qualified, according to 64 percent of that one-third.

One career that has seen year-over-year growth is the chief information security officer (CISO). Last year, only 50 percent of survey respondents reported their organizations employ a CISO. This year, 65 percent of responded their organizations employ a CISO.

And, while respondents indicated increasing security budgets, the survey noted, “attacks are increasing, but the resources allocated to combat those attacks, while still growing, are growing at a reduced rate compared with prior years.”

ISACA’s report stressed the importance of intelligence-driven, versus traditional perimeter, cybersecurity. The report also called for more information sharing across organizations and industries.

The full report is available on ISACA’s website.