Editor’s note: We planned this post before the breadth and depth of the MOVEit breach was well known. Even as we acknowledge that some things are looking up, it’s impossible to ignore the severity of this event. For more info on the MOVEit Transfer vulnerability, read CISA’s advisory.
Working in cybersecurity often means taking a lot of heat when things go wrong and feeling pretty invisible when things go right. It’s worth taking a beat to celebrate cybersecurity wins when they happen. We’ve rounded up a few stories that show where things are looking up.
Multifactor Authentication Usage Nearly Doubles
Leading identity and access management company, Okta, recently released its annual Secure Sign-in Trends Report for 2023. They analyzed data from their own customers’ monthly authentications, which number in the billions. They found an ongoing rise in the use of multifactor authentication.
Before the COVID-19 pandemic, just 35% of workforce users had enabled MFA. Today, 64% utilize MFA for sign-ons. And among administrators, at least 90% are using MFA. The pandemic helped accelerate the acceptance of secure sign-on. As more and more users began working outside the perimeter, security teams were forced to hustle forward with MFA education and leadership pushed adoption. We’re still not thankful for COVID, but this is a silver lining.
One caveat to the good news: MFA use varied widely across industries. Not surprisingly, the technology sector leads the way with 87% of overall users adopting MFA. The bottom of the list sees the transportation and warehousing industry lagging way behind with just 39% adoption.
Highly regulated industries seem to be having difficulty with MFA adoption. Government (48% adoption), healthcare (56%), and energy (62%) are often reliant on legacy applications that only support basic authentication methods like usernames and passwords. Ongoing investment in updated technology that allows for MFA is crucial to mitigating the risks of credential-based attacks.
Dwell Time Drops
Mandiant Inc.’s new report, M-Trends 2023, shows that there has been a marked decrease in the global median hacker dwell time. Dwell time is the number of days an attacker is present in a target’s environment before being detected.
The average dwell time in 2021 was 21 days. It dropped to 16 days in 2022.
The good news is that companies are learning about breaches sooner. The bad news is that earlier detection is partially thanks to ransom seekers announcing their intrusion and asking for payment.
The global median dwell time for intrusions involving ransomware was 7 days. Organizations that detected the intrusions internally took an average of 12 days.
Companies are improving internal intrusion detections with the help of modernized threat detection and response solutions. These solutions use AI and automation to improve the productivity of security teams that are stretched thin.
More Educational Opportunities
The cybersecurity workforce has always been lacking enough labor to meet demand. There are an estimated 3.5 million unfilled cybersecurity positions worldwide with 750,000 in the U.S. alone. The collegiate pipeline for filling these roles is slow and expensive. In late May, Google announced that it has plans to help address the issue.
In partnership with Coursera, Google is offering a Cybersecurity Professional Certificate training program that anyone can take. No background in coding or computer science is required. The six-month program is designed to upskill workers for entry-level cybersecurity jobs. Google cybersecurity experts (including the CISO of Google Cloud) designed and taught the classes.
The class covers industry-standard tools like Python, Linux, and SIEM programs. Learners completing the program will be prepared for the CompTIA Security+ exam.
Students interested in the program can try it out for free for seven days. After the trial period, the cost is still only $49 per month. If students can dedicate seven hours a week to the program, they should finish in just six months.
Google has taken its commitment to improving the security professional pipeline a step further. The company has gathered a consortium of 150 employers, including American Express, T-Mobile, Walmart, and Colgate-Palmolive, who are committed to considering graduates of the program for entry-level roles in their organizations.
Cybersecurity is not all bad news. There are wins to celebrate even amidst the losses. They’re just hard to celebrate because it’s more about what didn’t happen than what did.