South African IT managers are inundated with cyberattacks coming from all directions and are struggling to keep up due to a lack of security expertise, budget and up-to-date technology.

This is according to a survey The Impossible Puzzle of Cybersecurity released by cybersecurity company Sophos.

The survey polled 3,100 IT decision makers from mid-sized businesses in the US, Canada, Mexico, Colombia, Brazil, UK, France, Germany, Australia, Japan, India, and South Africa.

It found that cybercriminal tactics have evolved into using multiple attack methods and often multiple payloads, and IT teams spend 27% of their time managing security, yet still struggle with a lack of expertise, budget and up-to-date technology.

Software exploits were the initial cause of 17% of incidents and used in 23% of cyberattacks, demonstrating how exploits are used at multiple stages of the attack chain, that phishing emails impacted 47% of those hit by a cyberattack, ransomware impacted 38% of attack victims and 39% of attack victims suffered a data breach.

Sophos stated: "Regarding budget, 66 percent said their organisation's cybersecurity budget (including people and technology) is below what it needs to be. Having current technology in place is another problem, with 75% agreeing that staying up to date with cybersecurity technology is a challenge for their organisation. This lack of security expertise, budget and up to date technology indicates IT managers are struggling to respond to cyberattacks instead of proactively planning and handling what's coming next."

Supply chain attacks

Supply chain attacks are a launch pad to emerging automated, active-adversary attacks, according to Sophos.

"Based on the responses, it's not surprising that 75 percent of IT managers consider software exploits, unpatched vulnerabilities and/or zero-day threats as a top security risk. Fifty percent consider phishing a top security risk. Alarmingly, only 16 percent of IT managers consider supply chain a top security risk, exposing an additional weak spot that cybercriminals will likely add to their repertoire of attack vectors," the company added.

Available skills and talent is also an issue, and 79% of respondents said recruiting people with the cybersecurity skills they need is challenge, while 80% want a stronger team in place to detect, investigate and respond to security incidents.

Chester Wisniewski, principal research scientist, Sophos, said: "Staying on top of where threats are coming from takes dedicated expertise, but IT managers often have a hard time finding the right talent or don't have a proper security system in place that allows them to respond quickly and efficiently to attacks.

"If organisations can adopt a security system with products that work together to share intelligence and automatically react to threats, then IT security teams can avoid the trap of perpetually catching up after yesterday's attack and better defend against what's going to happen tomorrow. Having a security 'system' in place helps alleviate the security skills gap IT managers are facing. It's much more time and cost effective for businesses to grow their security maturity with simple to use tools that coordinate with each other across an entire estate."

Wisniewski added that while the survey did not delve into why participants have such a hard time keeping machines to date, it is usually a case of knowing what devices are on the network.

"... Which is harder than it looks. You can't patch what you don't know you have. Even when you do know what you have, machines will often show that they have received updates that in fact were not applied properly and many security tools require large, regularly updates and can be difficult to keep current," he said.

There is light at the end of the tunnel and Wisniewski believes businesses are starting to recognise the specific causes of their failure.

"I don't read that the challenges organisations are facing will lead to things getting worse, but rather an explanation of where we are today. It is one of the major reasons we don't go a day without hearing about another successful attack or another data breach. The good news is that businesses are starting to recognise the specific causes of their failure and can begin to address these problems to move forward more successfully."