IT Sector: No More Cyber-Confident Than the Rest
An email-borne attack with significant business impact is seen as likely by many technology companies this year. Here’s a look at their cyber risk and response.
Key Points
- IT companies’ near-term concern about email-borne attacks is among the highest of any sector, according to a 2022 Mimecast survey.
- The tech sector’s pivotal role in software supply chains, its free-flowing work environments and valuable intellectual property make it a target.
- The Mimecast survey details recent trends in email attacks, as the No. 1 threat vector, and how the IT sector is responding.
To hear someone in the construction or consumer products industry say they have fears about cybersecurity wouldn’t be surprising. After all, companies in these sectors have databases filled with sensitive customer data and a reputation for being “soft targets” — overmatched, in their technology skills, by cyberattackers who have many tricks at their disposal and seemingly nothing but time.
But with their deep reserves of technical talent, you might think that IT and tech companies would be more certain of their data protection and email security protocols, able to keep the phishers, spoofers and ransomware extortionists at bay.
Mimecast’s recent State of Email Security survey shows that the IT industry isn’t in nearly as good a position as one might think. In fact, 47% of companies in the sector say an email-borne attack producing a negative business impact is “extremely likely” to affect them at some point this year. That is the third-highest level of concern of the 11 industries that Mimecast surveyed. Only companies in the professional services sector, and in media, leisure and entertainment, are more worried.
Why IT Companies Are Vulnerable
IT, technology and telecom (the categories in this group) represent a broad sector. Some Big Tech companies, at one end of the spectrum, may be better secured against attack than a startup at the other end. But certain common characteristics of tech companies make them rich targets, including:
- Pivotal roles in software supply chains: A cybercriminal group doesn’t necessarily have to be targeting the tech company. It could be after the tech company’s customers, using one of its products as a delivery mechanism for its malicious code. This approach was seen in a number of major software supply chain attacks in 2021.[1]
- Tech sector’s emphasis on open, creative environments: The people at technology companies are in high demand and often resist bureaucracy. They don’t want to be told which devices they can’t use or which apps they can’t download. From a productivity standpoint, the freedom tech company employees are given is very valuable. From a cybersecurity standpoint, it can be problematic.[2]
- The value of their intellectual property (IP): Code or other assets of information companies can be a sort of grand prize if they are compromised. Attempts to steal or disrupt IP can come from competitors, state actors or insiders.
Cyberattacks Fuel IT Sector Concern and Action
The IT sector’s concerns about cyberattacks are rooted in recent experience — specifically, in the frequency with which the sector was targeted last year. Eighty percent of the IT, technology and telecom executives in Mimecast’s survey said the number of incoming email threats rose in the past 12 months — the highest percentage of any sector.
IT was also more likely than the average sector to face an impact from ransomware, a prime objective of email attacks. Three-quarters (74%) of tech companies paid some sort of ransom in an attempt to recover their data — the highest proportion of ransomware paid by any sector.
The report also shows tech companies working to counter attacks.
- Budget: Seventy-eight percent of tech companies devote 10% or more of their IT department’s dollars to cyber resilience — which is well above the average level of spending across sectors. A third of tech companies spend more than 20%.
- Defense in depth: More than half (57%) of technology companies have already deployed a system to keep employees from spreading email-borne attacks and data leaks throughout their organization in internal-to-internal emails. Across all sectors, such systems are quite a bit rarer (fewer than 47% of all companies use them).
- Artificial intelligence (AI): Sixty-three percent of tech respondents are using machine learning and AI to become better at threat detection and other aspects of cybersecurity. That’s well above the 46% average of companies overall who leverage these technologies.
Tech companies are also more apt than other sectors to do security-awareness training, and to integrate their cybersecurity platforms in order to automate, streamline and improve their efforts to combat threats, according to the report.
How IT Companies Can Minimize the Impact of Cyberattacks
There isn’t an IT-specific playbook for fending off cyberthreats. The National Institute of Standards and Technology’s Cybersecurity Framework lays out some best practices that organizations of every kind can use to strengthen their cyber resilience.[3] If you’re a cybersecurity executive in the tech industry, the following practices are especially important:
- Prioritize information assets. Not every piece of data is equally important. If your company helps businesses use AI and other advanced technologies, your software code may be the thing you most need to protect. A consumer-facing technology business, by contrast, may be most concerned about the vulnerability of its customer databases. Quantify the level of risk you are willing to take with your different assets. This is the first step in setting effective cybersecurity policies.
- Turn cybersecurity into an organization-wide responsibility. A lot of organizational vulnerability, in technology as well as other sectors, stems from employee mistakes — say, someone opening an infected email or visiting a spoofed website. You can reduce the incidence of these problems through awareness training — including in areas like phishing. Your outside contractors should get the same training if they represent points of vulnerability for you.
- Take an environment-wide view of cybersecurity. Companies tend to look for security holes in the last place they encountered them. That is understandable, but you need to look at your whole environment. Problems can be in your networks, in the data-sharing and coding that your programmers do in the cloud, in your email or endpoint security protocols — even in the way you handle physical security.
- Take a proactive, not reactive, approach to threats. It’s important to have incident response plans — covering business continuity and disaster recovery — but it’s even better if you never have to enact such plans in the first place. Track the spyware and the spoofs and the malware and the would-be ransomware attacks that come at you — most often via email. By becoming better at this kind of monitoring, you’ll be developing a capability in the crucial area of threat intelligence. It’ll help you stay out of trouble.
The Bottom Line
IT companies’ technology expertise doesn’t make them exempt from cyberattacks. On the contrary: Roughly half of the sector’s cybersecurity executives think a damaging email-borne attack is “extremely likely” to hit them in 2022. A new Mimecast survey underscores their level of concern and preparation.
[1] “Software Supply Chain Attacks Tripled in 2021,” Security Week
[2] “Global Cyber Executive Briefing: High Technology,” Deloitte
[3] “Organizational cyber maturity: a survey of industries,” McKinsey
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!