ESG Blogs

According to ESG research, 62% of organizations were poised to increase spending on cybersecurity in 2020. Thirty-two percent of survey respondents said they would invest in cybersecurity technologies using AI/ML for threat detection, followed by data security (31%), network security (30%), and cloud application security (27%).

Of course, that was back in the innocent and carefree days before COVID-19. Have things changed?  Yes, and seemingly overnight. Like society at large, the cybersecurity world's priorities, strategies, and tasks have been turned upside down.

With ransomware a top security concern for most cybersecurity teams, the cost of cybersecurity insurance is making its way into the annual budgeting process for CFOs around the globe. While ransomware is not a new cyber-threat, largely entering the cybersecurity scene in 2016 and 2017 with high-profile attacks, research conducted by ESG reveals that a majority of organizations continued to experience ransomware attacks in 2019, representing a concern for both business and IT leadership.[1]

It’s 2020, yet many organizations still depend upon a myriad of disparate point tools for security operations, leading to many challenges. According to ESG research:

• 35% of cybersecurity professionals say that the biggest challenges associated with managing an assortment of point tools is that it makes security operations complex and time consuming.

RSA 2020 had an uninvited guest, Covid-19. Fist bumps replaced handshakes while hand sanitizing stations seemed ubiquitously stationed throughout the Moscone Center. Attendance seemed to be down due to factors like the virus panic and the withdrawal of major players like AT&T, IBM, and Verizon. 

While lots of people pulled back, the ESG team was in full attendance. Here are a few of our observations and thoughts on RSA 2020:

With RSA Conference 2020 now in the rearview mirror, my colleague John Grady and I discuss the theme of the conference in this video blog, the human element. After acknowledging the importance of community, we explore how the emergence of software-defined perimeters (SDP) will help secure a variety of user access use cases. We also discuss how the broad adoption of cloud services is necessitating a retooling of identity and access management programs from SSO to MFA, privileged access management, and user activity analytics. We wrap-up noting how much we enjoyed seeing so much of our community at our annual ESG Breakfast at RSA Conference event.

Introducing ESG’s Modern Email Security Video Series

As part of my ongoing research around modern email security, I am shooting a series of video interviews with leaders from several email security solution providers, talking about the current email threat landscape and strategies to defend against them. My goal is to make these educational, explaining what’s happening on both the attacker side and the defender side.

As part of the ESG annual IT spending intentions research for 2020, respondents were asked to identify the area where their organizations have a problematic shortage of skills. Cybersecurity topped the list of problematic skills shortage areas, just as it has for the past 9 years.

ESG research shows that cybersecurity training can help reduce cyber-attacks. Our research also shows that awareness training is not considered as effective as many other security services.

Join Jon Oltsik and Christina Richmond for a discussion on why we must continue training our non-technical employees how to spot phishing and business email compromise (BEC) attacks and how we must strive to engage the entire company culture in the belief that cybersecurity is all of our responsibility. 

Accenture announced today that it has agreed to acquire Symantec's Cyber Security Services (CSS) business from Broadcom. This is big news for both Accenture and Symantec. 

Today’s announcement of Mimecast acquiring Segasec should help companies close another important gap in the race against the rampant phishing and credential theft attacks.

As Mimecast builds out their Email 3.0 strategy, the acquisition of Segasec will put the heat on bad actors who are busy stealing credentials by impersonating many of the world's biggest companies. With so many phishing attacks attempting to lead users to fake or impersonated web sites where they unknowingly give up login credentials and other sensitive information, many of the largest online companies become the biggest targets.

Mimecast continues to extend their email security platform to protect against the growing email-led threat vector. While many email security companies have implemented filtering techniques to detect and slow down url and domain spoofing, impersonation sites have been left unattended. Segasec’s subscription service proactively hunts down impersonation sites and shuts them down. This is kind of like going after the drug dealer’s home instead of the drug user. To accomplish this, Segasec continuously monitors domain name registrations, certificates, social networks, and more, looking for indications of impersonation. And when they find them, they have several methods of blocking access or taking down the impersonated sites.