Companies are upgrading

Many companies are aware of the operational dangers posed by IT incidents. They are planning investments in technology and know-how and are also approaching new security approaches such as Zero Trust. A survey by techconsult, in which Sophos participated, shows what technical decision-makers from trade, industry and service providers expect from security solutions.

More than half of all respondents (52 sPercent) have suffered one (26 percent) or more security attacks on their company in the last 12 months. Phishing (42 percent) and ransomware (36 percent) take the top spots. Bronze (31 percent) goes to the "insider threat" attack type, subtype "negligent" (there's also "criminal," but this one only accounts for 15 percent). To put it bluntly, this includes scatterbrainedness and ignorance on the part of employees, external service providers, partner entrepreneurs or ex-colleagues.

Respondents also see these three issues as security threats to their industries in the coming years: phishing (51 percent), negligent insider threat (34 percent) and ransomware (28 percent). Just over a third (32 percent) complained of business disruptions and outages. Twenty-six percent suffered financial losses as well as the loss of sensitive data. At least many companies are addressing the issue at board level (43 percent) and have a coordinated security and network strategy (42 percent). For example, 49 percent have antivirus solutions and malware detection, 41 percent have a packet filtering/proxy firewall, and 38 percent have data protection, backup and recovery solutions in place.

How do companies intend to arm themselves against future threats?
48 percent are focusing on the use of new security technologies. Currently, only 16 percent have a ZTNA (Zero Trust Network Access). But 61 percent plan to deploy a zero trust architecture, either within 12 months (26 percent), 24 months (20 percent) or in the long term (15 percent). For only 6 percent is this security approach not an issue.

However, the complexity of implementation (36 percent), lack of expertise within the company (33 percent), excessive investment costs (26 percent), as well as non-transparent (22 percent each) and insufficiently tested offerings from providers have so far stood or are standing in the way of the introduction of Zero Trust.

87 percent want to spend more on technical tools and training courses
Secure connectivity and networking of their branches is a motivation for 58 percent of respondents to promote Zero Trust more within the company. More data security and maintaining home office infrastructure (both 56 percent) would also boost Zero Trust. Protection against insider threats (55 percent) could mitigate future fears (see above).

Two-thirds (60 percent) expect fewer security incidents with a zero-trust architecture. Companies also expect greater security in accessing applications in the cloud and improved network security (both 57 percent). Onboarding of employees as part of New Work is a very high priority for more than one in two (56 percent). Lower costs and complexity as well as less downtime (both 51 percent) also speak in favor of Zero Trust.

In view of these attested benefits, companies are planning specific technical measures in the next few years. These include the encryption of data and transport paths (34 percent), user profiles and corresponding guidelines (33 percent), data loss prevention (30 percent) and VPN (23 percent). In addition to technical solutions, companies are also looking at organizational measures within their Zero Trust architecture. These include emergency and response plans (35 percent), needs analyses and certifications (32 percent each). Network segmentation (second to last at 17 percent) and the establishment of a risk analysis and management system (15 percent) are apparently given little importance. In order to implement all this, 86 percent plan to increase their security budget in the next two years. The majority of respondents (36 percent) are aiming for an increase of 11-20 percent.

About the survey
As part of a multi-client project in which Sophos was involved, 204 companies from retail, IT, logistics, services and industry were surveyed in December 2021. In addition to board members, CIOs, CSOs and IT information security officers provided information.