Mid-market organizations are stuck between a rock and a hard place when it comes to cybersecurity. They’re typically large enough to warrant investing in advanced threat detection and response technology, but too small to implement and operate their own security operation centers. As a result, CIOs and CISOs do what they can with the resources available – and they’re not necessarily doing poorly.
However, many mid-market organizations think too highly of their own cybersecurity strategies. According to a recent survey conducted by Arctic Wolf Networks, there’s a glaring gap in perception and reality of security posture. Many organizations think the glass is half full when, in fact, their best efforts are visibly missing the mark.
Only so many hours in a day
One of the most telling discrepancies in the data is in the number of the respondents who said they have dedicated cybersecurity personnel. Ninety percent of respondents claimed to have personnel dedicated solely to cybersecurity tasks. Yet 72 percent claim that their IT roles are far too broad to give cybersecurity the attention they think it deserves. Case in point: Respondents claimed that 77 percent of security alerts stew for at least an hour before being investigated.
Part of the problem here is that much of the mid-market is behind the curve compared to large enterprises in terms of what’s expected. In years past, cybersecurity was typically a hands-off endeavor that involved firewalls, web filters, anti-spam tools and other low-maintenance solutions that more or less did the work for the user.
However, cyberthreats have spiked both in concentration and in sophistication, forcing the solutions-based approach into obsolescence. And still, entire cohorts of security software vendors continue to make empty promises to the mid-market. This problem is compounded by the fact that 74 percent of IT workers feel pressured to purchase the latest cybersecurity solutions, according to TechTarget’s Michael Heller, despite lacking the time, resources and expertise needed to deploy and manage them. So, when a vendor comes to the table promising active protection for a low price point, there’s a bit of a knee-jerk reaction to bite on the offer. As a result, 89 percent of people misguidedly believe that perimeter security is enough to prevent most, if not all, cyberattacks.
Perhaps most importantly, there’s the aspect of experience. An organization that has been lucky enough to avoid breaches based on its current use of out-of-the-box solutions will have an inherent optimism bias born of the classic “if it ain’t broke, don’t fix it” mentality. When there’s only so much time in a day, it’s hard to blame them. At the same time, these organizations are playing with fire.
Filling in the SOC gap
“Organizations are starting to outsource SOC to managed service providers.”
Tellingly, Arctic Wolf Networks’ survey found that 88 percent of organizations believed they could benefit from a SOC, but 59 percent said it was too expensive. And yet 46 percent of respondents were bullish about having the budget, resources and expertise to build one.
This sentiment, however, is contradicted by a much more revealing finding: Only 23 percent of respondents said that they are investigating alerts within an hour of finding them. Given that ransomware can encrypt 1,000 Microsoft Word documents in 16 minutes or less, even an hour falls short of the desired threat detection and response timeline.
In summary, most mid-market organizations seem to be unwilling to pay out for an in-house SOC – but nearly half say they could if they really wanted – and are under the impression that their response times are adequate when, in fact, they’re far from it. Therein lies the gap in perception versus reality.
If there’s a silver lining to these findings, it’s that a small percentage of organizations are starting to outsource SOC to managed service providers. In years to come, this is a trend that’s expected to gain steam as awareness builds for offerings such as SOC-as-a-Service.
For organizations that can’t dedicate enough time to threat hunting, there are other options out there. It’s just about knowing where to look.