Happy Nice Mall

Time is ticking: Fortune 500 companies find a serious vulnerability every 12 hours, while attackers take less than 45 minutes to do the same, scanning the vast expanse of the internet for vulnerable business assets.

Worse, bad actors proliferate, highly skilled IT professionals are a scarce resource, and the demand for contactless interactions, remote work arrangements, and agile business processes continues to expand cloud environments. All of this puts an organization’s attack surface—the collection of nooks and crannies hackers can spy on—at risk.

“We’ve seen a fairly consistent set of attacks against industries as diverse as healthcare, transportation, food supply and shipping,” says Gene Spafford, a professor of computer science at Purdue University. “With each of these things happening, awareness of cybersecurity has increased. People don’t see themselves as victims until something happens to them – that’s a problem. It is not taken seriously enough as a long-term systemic threat.”

Organizations must understand where critical entry points are in information technology (IT) environments and how they can reduce attack surface areas in an intelligent, data-driven way. Digital assets are not the only items at risk. An organization’s business reputation, customer loyalty, and financial stability hang in the balance of a company’s cybersecurity stance.

To better understand the challenges faced by today’s security teams and the strategies they must adopt to protect their companies, MIT Technology Review Insights and Palo Alto conducted a global survey of 728 business leaders. The responses from industry experts, along with their input, provide a critical framework for protecting systems against growing bad actors and fast-moving threats.

Vulnerabilities of a cloud environment

The cloud continues to play a critical role in accelerating digital transformation – and for good reason: the cloud offers significant benefits, including increased flexibility, huge cost savings, and greater scalability. Still cloud-based issues 79% Percentage of observed risks for internal assets compared to 21%, according to the “2021 Cortex Xpanse Attack Surface Threat Report”.

“The cloud is really another company’s computing and storage resources,” says Richard Forno, director of the graduate cybersecurity program at the University of Maryland, Baltimore County. “It’s right there, presenting security and privacy concerns to companies of all sizes.”

Even more worrying is that 49% of respondents report that by 2021, more than half of their assets will be in the public cloud. “Ninety-five percent of our business applications are in the cloud, including CRM, Salesforce, and NetSuite.” Noam Lang, senior director of information security at cybersecurity software company Imperva, cites popular subscription-based applications that manage customer relationship management. However, “while the cloud provides much more flexibility and easy growth,” it also “creates a major security challenge,” he adds.

Part of the problem is the unprecedented speed at which IT teams can run cloud servers. “The cadence we’re working on in the cloud makes it much more difficult from a security standpoint to keep track of all the necessary security upgrades,” Lang says.

For example, Lang says, in the past, deploying on-premises servers required a lengthy purchasing process, deployment activities, and time-consuming tasks such as configuring firewalls. “Imagine how much time our security teams take to prepare for new servers,” he says. “Once we decided to increase our infrastructure, it would have taken us weeks or months to actually bring any servers to life. But in today’s cloud environment, it only takes five minutes to change code. This allows us to move business much faster, but it also introduces new risks.”

Download full report.

This content is produced by Insights, the exclusive content arm of MIT Technology Review. It was not written by the editorial staff of MIT Technology Review.