Earlier this year, Axis took part in the world’s largest cybersecurity benchmarking study, Cybersecurity Solutions for a Riskier World, undertaken by global research firm ThoughtLab. The study analyzed the cybersecurity strategies and results of 1,200 large organizations across 14 different sectors and 16 countries, highlighting the growing risks and, worryingly, a perception among executives that they are largely unprepared for the changing environment. We’ve taken a dive into the study data to pick out some of the key learnings for the surveillance and security sector.
One of the most significant shifts in cybersecurity risks in recent years has been the arrival and growth of the so-called internet of things (IoT) where billions of devices are now connected to each other and corporate networks. This has greatly increased the potential attack surface for organizations. Effectively, any device connected to the network could provide an attack and entry point for cyber criminals.
This was a factor highlighted in the study, with 25% of respondents agreeing with the statement that the “convergence of digital/physical systems has greatly increased the cybersecurity risk”. And it’s a risk that continues to escalate. While 27% saw the rise of new technologies, including IoT, as the biggest cybersecurity risk today, the percentage of respondents who saw it as the biggest risk in two years’ time rose to 37%.
Even more significantly, 44% of respondents agreed that their organization’s “growing use of partners and suppliers exposes us to a major cybersecurity risk”. The issue can be created through the use of third-party hardware components and software by some vendors – undisclosed to the customer. It’s critical to source verified end-to-end security solutions, or from vendors that are transparent and can provide a software bill of materials (SBOM).
Overall, more than one in four (27%) felt that their organization is not well prepared for the rapidly changing threat landscape.
A critical need to focus on OT vs IT
There is a greater need than ever to consider risks in both information technology (IT) – technology used to principally manage an organization’s data – and operational technology (OT), the technology used to manage and monitor industrial equipment, assets, processes, and events. However, the ThoughtLab study data highlights a concerning gap in staffing levels. Only 40% of cybersecurity staff in businesses surveyed were focused on OT.
In itself, a 40/60 split between cybersecurity staff focused on OT versus those focused on IT doesn’t seem too dramatic. But when set in the context of some of the reasons for breaches, it’s easy to see why this weighting should be more even.
Respondents in the survey cited human error (50%), unknown assets (44%), misconfigurations (44%), poor maintenance (43%), and patching (31%) as the root cause of cyberattacks, with many of these set to increase. All of these can be regarded as OT issues, whereas the first IT-related area – network architecture – was only highlighted as the root cause of attacks by 26% of respondents. Given that there are more OT assets in the attack surface of most organizations than IT assets, there’s a strong argument that there should be more OT staff focused on cybersecurity than IT staff, not less.
Prioritizing investments, but are they effective?
The study looked in some details at those areas where customers are prioritizing their cybersecurity investments, but also highlighted some surprises regarding where these were seen as effective.
Take the point above, relating to OT and IT. Nearly one in three respondents (30%) stated that they had already invested in “prioritizing the IT and OT assets to protect as well as vulnerabilities to remediate”, and 33% said that this would be the biggest investment area over the next two years. However, only 9% cited this as the most effective measure to take.
In contrast, “applying zero trust principles” – an area where a similar number of respondents have already invested (29%) – was seen as being twice as impactful in improving cybersecurity (18% seeing this as the most effective area of investment).
An opportunity seems to exist for system integrators in this area. Where 18% of respondents highlighted that “developing and implementing a third-party risk management program” as the most effective measure, only 23% have already invested in it.
A word on cybersecurity frameworks
The study asked respondents to state which industry frameworks they used to benchmark their cybersecurity strategies. Nearly half of respondents (48%) stated that they were using ISO 27001 and 27002, with the Center for Internet Security (CIS) controls scoring highly (45%) and the NIST CSF and the NIST 800-53 controls also fairly close behind (32% and 40% respectively). Though the NIST CSF is a newer risk management framework, it’s interesting based on the results that it is only slightly trailing ISO 27001 in adoption by enterprise businesses globally.
Addressing the cybersecurity issues of connected devices
It’s clear from the ThoughtLab study that the growing number of connected physical security devices is creating a related growth in cybersecurity risks. Despite the negative impacts associated with security breaches – including reputational damage, business disruption and interruption through system downtime, direct financial loss, and potential fines – it seems to be an area that still isn’t attracting the focus it deserves.
As a supplier of connected surveillance cameras and associated technology, Axis takes its role in cybersecurity seriously. Innovations in built-in cybersecurity features, such as Axis device ID, Edge Vault, signed firmware, secure boot, and more, help safeguard the integrity of the Axis devices on the network.
We also work closely with our partners and customers to help ensure that cybersecurity best practices are being implemented throughout the value chain and the product lifecycle. AXIS Device Manager and AXIS Device Manager Extend remain the ideal tools for managing and maintaining cybersecurity hygiene for Axis products.
As ever, cybersecurity continues to be a journey rather than a destination.