May 24, 2022

In 2021, one in two large companies suffered at least one successful cyber attack.

Every year, CESIN publishes its Corporate Cybersecurity Barometer. And if there is one thing to remember from this 2022 edition, it is that the journey towards cyber-resilience is still just as difficult, even if companies are now more aware and better protected.

The CESIN barometer produced by OpinionWay is the result of a major annual survey of CISOs and Cybersecurity Directors which seeks to measure the perception of cybersecurity and its challenges within companies and the concrete reality of their IT security. Remember that the CESIN (Club of Information and Digital Security Experts) essentially brings together security managers from large companies, administrations and ETIs.

Among the members of CESIN, more than one in two companies (54%) say they have suffered between one and three successful cyber attacks in the year 2021, attacks that have indeed had glaring repercussions on their businesses.

The number is high, but it marks a slight but steady decline over the past three years (65% in 2019, 57% in 2020). And it is, in the end, rather good news while, on the ground, the scale, the technicality and the virulence of the attacks continues to increase.

This decrease may also reflect the growing efforts of companies: Budgets allocated to cybersecurity are still on the rise this year. 70% of companies confirm this trend, compared to 57% in 2020. And 44% of companies devote more than 5% of the IT/Digital budget to cybersecurity (a growth of 29%). They are 56% want to allocate more human resources to their organization. And 7 out of 10 companies have cyber insurance.

Attack vectors

The report focuses in particular on the vectors that led to these successful attacks. Without surprise, Phishing remains the main attack vector. This is the number one way to steal credentials and start an infiltration or a multi-phased attack. Thus, 73% of CISOs designated this vector in 2021 compared to 80% in 2020. A decrease which, surprisingly, reflects a relative success because it should not be forgotten that the risks posed by such attacks have multiplied with the containment of employees, their state of stress linked to the pandemic and the increase in telework in conditions that are not always optimal. This decrease suggests that efforts to educate employees about cybersecurity are beginning to bear fruit..

Exploitation of vulnerabilities, CEO scams, fraudulent login attempts, acquisitions of illegitimate domain names and DDoS (denial of service) attacks come unsurprisingly behind Phishing. However, the Top 10 attack vectors 2021 presents a novelty on which it is useful to stop: “Indirect bounce attacks via a service provider” increase by 5% to reach 21% ! A progression that reflects the reality of a year 2021 marked by attacks on the software Supply Chain with the SolarWinds and Log4J incidents. ANSSI has been concerned for several years about the weaknesses of the Supply Chain of large companies, which often relies on VSEs and SMEs that are less trained in cyber challenges. But if they have often sought to protect themselves from the weaknesses of their service providers, they have not always measured the importance of the players in their software Supply Chain.

Varied but impactful consequences

The study also attempts to measure the consequences of these attacks. Ransomware attacks affected 1 in 5 businesses among respondents. The 2020 surge has therefore stabilized in 2021 but obviously remains at the heart of concerns. Ransomware maintains its third position in the ranking of consequences, ahead of denials of service, but behind identity theft which jumps to 32% (compared to 23% in 2020) and data theft.

Sensitized by the multiple ransomware cases in 2020 as throughout 2021, companies have sought solutions and better preparedness.
Their efforts were first focused on raising awareness among their employees, on the deployment of an EDR (which increased by 16% in one year), on the regular analysis of vulnerabilities and on the hardening of the Active Directory ( a priority which has increased by 9% in one year). Furthermore, it will be noted that 4 out of 10 companies have used cyber crisis training programs, a new entry in the ranking. In addition, 47% of companies plan to set up such training.

Companies that have overall confidence in their tools

But the most surprising thing about the displayed failures is that CISOs maintain a high level of satisfaction with solutions present in the market. In fact, 86% of respondents consider that they are rather adapted to their needs (including 8% stating that they are ‘completely’).
On average, companies build their cyber-resilience on a dozen solutions. In addition to traditional VPNs, URL filtering and email security gateways, there has been strong adoption of multi-factor authentication, a marked increase in EDRs (+17% in one year) and greater generalization of encryption solutions (in 7) increase.

Most, there is a perception gap between the adoption of a solution and the perception of its effectiveness. Comparing the two graphs is quite instructive in this regard:

MDA authentication, EDR systems, VPNs, email gateways and web gateways are considered the most effective solutions. Much more surprisingly, while Zero Trust is in the mouths of all suppliers, identity and access management solutions fell by 4 points in 2021 and peaked at 18%, while PAM (Privilege Access Management) solutions ) remain much better perceived in terms of efficiency. DLP (Data Leak Prevention) solutions are also among the least deployed and least considered effective.

And since we are talking about Zero Trust, only 30% of companies have already started or have implemented such a strategy. However, 41% of respondents say they are studying how such a model could be implemented in their companies. With only 13% of respondents having started to deploy it, the SASE – Buzz Word of the world of security in 2021 – is still perceived as a marketing-first concept that will have to prove itself a little more well to impose itself.

Finally, the CESIN report also looks at cloud impacts and aspects of sovereignty and trust (6 out of 10 CISOs say they are concerned about cloud trust issues). CISOs are concerned about the control of the subcontracting chain of their hosts and poor visibility of their Cloud resources (and the difficulty of making an inventory). In addition, 8 out of 10 CISOs believe that securing data stored in the cloud requires specific tools, and in most cases (63%) it is necessary to use devices other than those offered by the provider. of clouds.

Source : Business cybersecurity barometer – OpinionWay / Cesin – Wave 7 – January 2022