CRD #6

On supply chain vulns, cloud compromises, security UX, women in security, NIS2 & workforce stress.

Henry Rõigas

Henry Rõigas

4 min read
CRD #6

Research highlights for security leaders from validated sources released between 1-7 October 2024, followed by a hyperlinked list of all monitored reports during the period.

We cut through the bias and marketing fluff to bring you relevant and objective insights backed by data and based on proper research.

Insurer: most third-party incidents in 2023 caused by just three vulnerabilities

Insurance data analysis by QBE Research shows that in 2023 over 75% of all reported third party incidents were caused by just three major CVEs. Out of these, 61% were caused by the MOVEit breach, followed by vulnerabilities in CitrixBleed (10%) and Proseif (6%).

QBE Research also notes that, based on publicly listed victims on leak sites, ransomware levels in 2024 are forecasted to increase only slightly compared to 2023 (from 4,700 to 4,800 victims). If the forecast holds, the lack of growth is a positive sign, given that ransomware incidents jumped nearly 50% from 2022 to 2023 (from around 3,000 to 4,700 cases).

Credential access remains top tactic for cloud compromise

Elastic Security Labs’ 2024 Global Threat Report emphasizes that credential access remains the leading tactic for compromising cloud services, driven by the expanding infostealer ecosystem and continued reliance on social engineering tactics (e.g. with fake logon sites).

The report calls on companies to implement pertinent defenses, such as regularly rotating exposed account credentials, establishing post-incident account reset processes, and applying user behavior analytics.

Sources of stress for cybersecurity professionals

ISACA's State of Cybersecurity report highlights the high pressures cybersecurity professionals face, with 66% of 1,800 respondents stating that their roles are more stressful than five years ago. An increasingly complex threat landscape is perceived as the main cause (by a significant margin; 81% of respondents), followed by factors such as low budgets, lack of staff skills or training, and cyber risk not being sufficiently prioritized.

An ever-changing and ever-growing threat landscape is also linked with the constant need to use more tools. For example, Red Canary points out that SOC teams are using over 90 security tools on average, and that most constantly struggle with turning threat intelligence into something actionable. Information overload, fear of missing critical alerts, and challenges in keeping pace with new threats are commonly reported stress factors across multiple studies. It should not be a surprise, then, that over 60% of cyber professionals are considering looking for a new job in the next 12 months, based on another survey of 1,200 IT professionals.

Companies questioning the NIS2 Directive

A survey of over 500 IT decision-makers from Western European medium and large enterprises reveals that compliance with the EU NIS2 Directive is considered a low priority, with 66% of respondents indicating they expect to miss the October 18th compliance deadline.

Lack of resources is seen as a major cause as over 40% of respondents reported decreased security budgets since the Directive was agreed upon in January 2023. Additionally, respondents critical of NIS2’s value noted the perceived lack of consequences for non-compliance—though this remains to be seen in the years following the directive’s implementation.

Poor user experience with security leads to unsafe workarounds

Security protocols often create significant friction in employees’ digital experience. Ivanti emphasizes that CISOs need to have more say in their organisation's digital experience strategy development, highlighting that rigid security protocols can cause frustration, lower productivity or even be counter-productive.

The report shows that a significant amount of employees in large organisations end up using unsafe shortcuts due to cumbersome security protocols, such as accessing work data from personal devices, using personal accounts for work communications and sharing data with unapproved solutions.

Understanding industry dynamics to increase female representation in cybersecurity

Through extensive qualitative and quantitative research—including a survey of 8,000 cybersecurity professionals across 10 countries—Deloitte and the Female Quotient released an in-depth study analyzing the state of women in cybersecurity. The study shows that, as of 2023, women make up 20-25% of the global cybersecurity workforce.

As women appear to be considering a career in security less than men (23% versus 35%), the report points out core limiting factors limitations according to young working women: 1) a strong perceived need for cybersecurity expertise and a deep technological background; 2) concern that a sufficiently inclusive culture exists within the industry; and 3) the need for fair and transparent compensation.

Reports monitored: 1-7 October 2024

To take a deeper dive in the topics most relevant for you, we've listed all the research reports that were published during the observed period.

Title Organisation(s) Topic(s)
2024 Elastic Global Threat Report Elastic threat intel / cloud / EDR / malware
The State Of Ransomware in Healthcare 2024 Sophos ransomware / healthcare
State of Cybersecurity 2024 report ISACA skills / HR
2024 Deloitte-NASCIO Cybersecurity Study Deloitte / NASCIO US / gov/ state CISO
Connected business: digital dependency fuelling risk QBE Research threat intel / strategic trends
2024 Securing the Digital Employee Experience Report Ivanti security UX / AI / processes
Databarracks Data Health Check 2024 Databarracks strategic trends
Deepfake Fraud Doubles Down: 49% of Businesses Now Hit by Audio and Video Scams, Regula’s Survey Reveals Regula Forensics w/ Sapio Research deepfakes / fraud
2025 Global Digital Trust Insights PwC digital trust
Travelers 2024 Risk Index Travelers insurance
2024 Threat Intelligence Report Nokia threat intel / telcos
The Global State of CPS Security 2024: Business Impact of Disruptions Claroty cyber physical systems / financial impact
Identity Security Posture Management (ISPM) Survey Report Anetac w/ Censuswide identity
2024 State of Threat Detection and Response: The Defenders’ Dilemma Vectra AI detection / response
2024 Security Operations Trends Report Red Canary w/ Coleman Parks strategic trends / budget / concerns
THE BIGGEST Third-Party Risk in Manufacturing - 2024 Report Black Kite manufacturing
2024 Cybersecurity Assessment Report BitDefender w/ Censuswide strategic trends / HR
CISO Compensation Benchmark Summary Report IANS Research and Artico Search CISO / compensation
POV Reimagined: Women in Cybersecurity The Female Quotient and Deloitte Global. gender gap
2024 Travelers Canada Risk Index Travelers Canada / general / insurance

About

evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.

Read more