McIntire Professor Chris Maurer: Companies Aren’t Ready for Cyberattacks–and They Know It

McIntire Professor Chris Maurer says one of the biggest challenges is that cybersecurity rarely has a return on investment.

(Photo illustration by Ziniu Chen, University Communications)

By Whitelaw Reid, wdr4d@virginia.edu

Organizational leaders know cybersecurity breaches are coming, yet they’re struggling to make necessary improvements that could potentially stop them, according to new research by Chris Maurer, a Professor at the University of Virginia’s McIntire School of Commerce.

For a new article he cowrote with University of North Texas colleagues Kevin Kim, Dan Kim, and Leon Kappelman, Maurer investigated cybersecurity practices within individual organizations to determine how they’re changing over time.

Suffice it to say, Maurer doesn’t have good news to share. Maurer found that over the last five years, even as IT leaders ranked cybersecurity in the top two areas that require more investment, the average cybersecurity budget has increased only marginally.

This despite a long list of breaches at high-profile companies such as Target and Twitter, just to name a few, over the last couple of years.

“There is clearly a desire to invest more in cybersecurity,” Maurer said, “but chief information security officers are having difficulty convincing the business to invest more heavily.”

UVA Today caught up with Maurer to learn more.

When you analyzed organizations’ cybersecurity, what were the main criteria you examined?
We took a rather simple approach to evaluating cybersecurity readiness. A series of questions asked respondents whether they followed five common best practices: 1) appointing a chief information security officer (CISO, or equivalent); 2) having cyber-insurance coverage to help offset costs of data breaches and attacks; 3) actively using cybersecurity-related metrics to evaluate their own internal performance; 4) requiring employees to undergo regular cybersecurity training; and 5) incorporating cybersecurity reviews or considerations in several key business/IT processes.

All responses were self-reported, and we did not verify the quality of these practices within each organization. This makes our findings even more surprising, in that organizations had every opportunity to overestimate their readiness, yet they did not do so.

In your research, you found cybersecurity readiness lags. How do you define that? And how big of a problem is it right now?
We defined readiness as the extent to which the five best practices were adopted within organizations. Of course, this is not a perfect measure of overall readiness, but it allowed for a standardized approach for tracking readiness over time. While it may take a reasonable investment to adopt all five of these common best practices, organizations should be able to implement them within a reasonable period of time.

Since we have tracked this data over several years – often within the same organization across those years – and have seen little progress, we consider this to be an area where organizations could be doing much better.

There is no objective way of quantifying exactly how big of a problem this is, because not every organization that has lax cybersecurity controls will suffer a breach/attack, and other organizations with robust cybersecurity programs may experience breaches. However, these results suggest to me that we are likely to continue to see many high-profile cybersecurity incidents across a wide range of industries and organizations for years to come.

Why do you think there has been, in your words, a “lack of progress” in cybersecurity?
One of the biggest challenges is that cybersecurity rarely has a return on investment. For example, $1 million in cybersecurity investment will not directly result in increased revenue or any other means to get that money back. At best, it will prevent an organization from spending more than $1 million in costs associated with a data breach in the future, but it is always difficult to estimate the likelihood of preventing such future costs. As such, it is often difficult for CISOs to convince their organization to invest more heavily in cybersecurity.

Is there a way for consumers to know how secure an organization’s cybersecurity is? Without getting too technical, what should we be on the lookout for? Are there indicators?
Unfortunately, there are no universal standards or signals that easily provide consumers with a sense of how secure an organization is. Also, since most security incidents involve some sort of human error (e.g. clicking on a phishing link), many organizations can pass security audits, yet still be quite vulnerable to data breaches.

One obvious way to ensure consumers are interacting with a reputable organization online is to check whether information transmitted to the website is encrypted and secured. This secure communication is enabled when a web address begins with “https:” and most web browsers will visibly display a lock icon in the address bar when the connection is secured. Any time you enter sensitive information (passwords, credit card numbers, etc.) into a website, be sure there is a lock icon indicating that the information you transmit is encrypted and not visible to anyone who may be trying to intercept that information.

Another key thing consumers can look out for and utilize is two-factor authentication. This is when a user is required to enter both a password as well as a code or some other form of verification that is received via text message, via email, or from a token/key device. While some businesses require customers to enable two-factor authentication, many others make it optional. Requiring two-factor authentication can significantly reduce the likelihood of a successful phishing attack, because if an attacker tricks you into divulging your password, they would still not be able to access your account without having the second form of authentication.

Another thing consumers can be on the lookout for is the organization’s privacy policy. These are the terms that we all simply click “accept” without reading because we have to agree to them if we want to use the organization’s services. While there is no room for negotiation in these privacy terms, savvy consumers can review them carefully to get a sense of what types of information are being collected about them, how the organization is using that data, and whom they may share that data with.

While privacy policies will generally not provide a lot of detail on how the data is protected and secured, consumers can use this information to make informed choices about whether the risks of providing this data to an organization are worth the benefits of using their service.

Chris MaurerAt a bare minimum, what types of cybersecurity measures should organizations be taking?
Given that most security incidents involve some sort of human/user element, it is imperative that organizations have mandatory cybersecurity awareness and training programs. The truth is, however, most of these training programs are poorly designed and employees simply click through them mindlessly to check an item off their to-do list. So organizations should carefully think about designing training programs that provide realistic scenarios to employees and evaluate their behaviors to promote better cybersecurity practices.

All organizations should also have someone with formal responsibility over cybersecurity. Further, the employees responsible for cybersecurity should have strong relationships across the entire organization and not be pushed aside as an afterthought. Since cybersecurity protection spans all areas of the organization, the teams must work closely with all types of employees, not just the IT employees who maintain the computing infrastructure.

From a technical standpoint, all organizations should have a layered defense that requires multiple failures before real damage can occur. You could think of it like having multiple dams along a river such that if any one single dam springs a leak, others downstream will help to protect against catastrophic damage. In terms of cybersecurity, some examples include blocking malicious activity at the perimeter of the network, encrypting data that is transmitted in and out of the network, encrypting data that is stored in databases, and enabling two-factor authentication.

Generally speaking, how have cybersecurity practices changed over the last few years?
According to the data we have collected, the biggest improvement has been the adoption of cyber-insurance. In 2016, fewer than 50% of organizations had coverage, while the percentage is now 79%. Cybersecurity training requirements also increased considerably: 61.5% in 2016 to 87.4% in 2021.

Thinking more broadly, beyond the data we have collected, the last few years have posed significant challenges to cybersecurity teams, especially regarding COVID-19. With global shutdowns, many organizations had to alter their cybersecurity practices to accommodate a remote workforce. This meant an increased reliance on [virtual private networks] to securely protect data transferred over public internet connections and additional controls to protect assets/data that are no longer located within physical office buildings.

The challenges of COVID-19, combined with the increased persistence of phishing schemes and ransomware attacks, has required cybersecurity professionals to focus even more on educating the workforce on the importance of cybersecurity protective measures, as they tend to be the weakest link in an organization’s defenses.

In the course of your research, what was the biggest surprise?
Based on my previous industry experience, most of the key takeaways from this research were not overly surprising, but it was good to quantify the extent of the problem. If I had to say I was surprised in any way, it would probably be that some mid-sized and large companies still do not have a dedicated chief information security officer within their organization.

Based on data collected in 2020, around 35% of organizations earning more than $1 billion in revenue did not have a dedicated CISO. Companies of this size generally have several hundred to thousands of employees, and to not have a person whose sole job is to oversee cybersecurity is rather concerning.

This story originally appeared in UVA Today Sept. 7, 2021.

Find out about all the exciting things happening in the McIntire community. Visit our news page for the latest updates.

More News