2021 Cyber IQ Survey: The shift toward proactive security

Zero-trust architecture (ZTA) is a concept that has existed since before the COVID-19 pandemic, but it is becoming more necessary and urgent with the recent increase in remote work. However, because ZTA is just an architectural concept and not something that can be achieved by installing a specific security solution, even many advanced companies are now facing barriers and issues related to its implementation, and are therefore still exploring the possibilities.

The Cyber IQ Survey results showed that perimeter defence measures such as VPNs were still the most commonly deployed measures for mobile devices. (55.3% of respondents selected ‘VPN’ as the security measure they use for mobile devices, the largest percentage of all options.) 

Meanwhile, regarding security measures that respondents have already taken and are planning to take in the next three years, survey results showed that ZTA-related measures such as risk-based authentication, multi-factor authentication, and single sign-on (SSO) are likely to increase, suggesting that companies are willing to change their mindset. However, in reality, the shift to ZTA is difficult to achieve in a short period of time, and we therefore expect companies to proceed in an incremental manner with the maturation of the related product markets and migration of current assets.

In recent years, a new type of cyberattack called ‘double extortion ransomware’ has become widespread. The term ‘double extortion’ refers to a ‘two-stage’ extortion scheme: Not only is data encrypted and a ransom demanded for its decryption, as with traditional ransomware attacks, but the data is also leaked if the ransom is not paid. 

Some ransomware has also been found to use triple-stage extortion, sending a large amount of communication data to the victim organisation's website and interfering with the operation of the website if the ransom is not paid. In this way, the pressure on victims to pay the ransom is increasing, and ransomware attacks have become increasingly more malicious.

As cyber threats continue to evolve to outsmart corporate countermeasures, the hurdles to launching an attach are becoming lower and lower, due to the maturation of the market for attack tools and know-how provided as a service. At the same time, companies must continue to pay close attention to internal threats such as internal fraud and inadvertent leaks, in addition to external threats. It is therefore crucial for companies to recognise that they are unfortunately facing a growing number of these threats and to continuously review their countermeasures.

These survey results show that while many companies are willing to focus not only on protection but also on detection and recovery to enhance their resilience, they have not been involved in response and recovery. Despite the prevalence of the concept of cyber resilience, businesses still have a long  way to go to realise it.

While companies are struggling to secure their resilience, cyber threats continue to expand. As mentioned in the above topics, there have been many reports of ransomware and other malware attacks entering the networks of other parties in the supply chain or remote workplaces, leading to security incidents. In addition to the office environment, the environments of  production and research locations such as factories have also become digitalised, and those systems are now connected to each other by networks. This is why the intrusion of a cyber threat can lead directly to the disruption of an entire business and its operations, and why the damage caused by security incidents is becoming more and more serious.

In this survey, when asked how they were affected by security  incidents that occurred in the past year, the percentages of respondents who answered, ‘Systems down’ and ‘Business impact’ were 22.5% and 19.8% respectively, along with ‘Data breach’ at 21.8%. Regarding ‘Business impact’, many respondents reported impacts directly related to business and operational continuity, such as ‘disruption of business, processes and services’ (26.9%) and ‘network strain’ (26.9%).