Impact of organizational structure on ransomware outcomes: Where does your org fit in?
How is your security team organized, and does it affect the quality of cybersecurity outcomes? If a recent report from cybersecurity firm Sophos is correct, it turns out that how security teams fit within an organization can impact outcomes, particularly around things like ransomware.
To gather the data for Sophos’s report, Impact of Organizational Structure on Cybersecurity Outcomes, the company commissioned a vendor-agnostic survey of 3,000 IT and cybersecurity professionals who worked at organizations with 100 to 5,000 employees within 14 countries. Part of the survey evaluated the relationship between security team structure and security outcomes and, if so, what structure yielded the best results.
While the organizational setups Sophos examined didn’t gather who the security team reports to, it provides a good sense of how the organizations’ reporting structures are set up. The three models evaluated by Sophos:
Model 1: The IT team and the cybersecurity team are separate organizations (1,212 respondents were in this category)
Model 2: A dedicated cybersecurity team is part of the IT organization (1,529)
Model 3: There is no dedicated cybersecurity team; instead, the IT team manages cybersecurity (250)
It does come as a surprise that organizations with no dedicated cybersecurity team didn’t experience, broadly, the poorest ransomware attack outcomes.
Sophos created three main areas to evaluate the impact of security team structure on the effects of ransomware: propensity to experience an attack, recovery operations, and business impact:
Model 1 Reported the poorest outcomes in all three areas, with those adopting model 2
reporting the best overall ransomware experiences and never reporting the worst.
Regarding the propensity to experience an attack, Model 1 organizations reported the highest rate of ransomware attacks, with 72% of respondents saying that their
organization was hit in the last year. Conversely, model 3 organizations with no
dedicated cybersecurity team reported the lowest attack rate, with “just” 56% being hit by ransomware. Model 2 organizations are between the two, with 63% reporting an attack in the last year. Interestingly, the root cause of the attack varied by organization structure:
What are some positive reasons for this finding? Perhaps when IT and cybersecurity teams are more tightly integrated, there’s better collaboration and centralized visibility than when they are separate. It suggests that some companies with “DevSecOps” processes will have the best outcomes because these teams learn how to work well together, and their toolsets will have better integration in some instances.
Interestingly, model 3 companies, those with no security team whatsoever, had the fewest ransomware attacks. This probably has nothing to do with organizational structure. Instead, these organizations will tend to be smaller and, in most cases, have a smaller IT footprint. In many cases, these organizations fly under the radar of ransomware operators.
There are also some interesting findings when it comes to how attackers initially infiltrate companies based on how they are organized:
Model 1: Almost half of attacks (47%) started with an exploited vulnerability, while 24% resulted from compromised credentials.
Model 2: Exploited vulnerabilities (30%) and compromised credentials (32%) were almost equally likely to be the root cause of the attack.
Model 3: Almost half of the attacks (44%) started with compromised credentials and just 16% with an exploited vulnerability.
Model 1 organizations had more attacks that began with exploited software vulnerabilities. This indicates that these organizations had a lot of software flaws exposed to the internet that were easy to manipulate. It is easier to exploit than to phish for credentials or use credentials already stolen. In organizations where IT and security are embedded, the initial infiltration credentials were almost identical at 30% for software vulnerabilities and 32% for compromised credentials.
Finally, the data shows that ransomware threat actors tend to be able to encrypt organizations regardless of how their security team is structured. It didn’t matter if it was model 1, model 2, or model 3: threat actors managed to encrypt targeted data roughly 70% of the time, with the specifics being 79% for model 1, 73% for model 2, and 76% for model 3.
The report shows that organizations with a dedicated cybersecurity team within the IT team (Model 2) reported better overall cybersecurity outcomes compared to organizations with separate IT and cybersecurity teams (Model 1). Specifically, Model 2 organizations were better able to recover from ransomware attacks using backups, and paid lower ransom amounts, and experienced less business/revenue impact.
This suggests that the integrated Model 2 structure facilitates better collaboration, shared responsibilities, and a more unified approach to implementing security best practices across the IT environment.
While not certain, we could reasonably infer that this improved coordination and alignment in Model 2 organizations may also extend to consistently implementing preventive security controls like MFA across the IT infrastructure. However, the report found that all organizational models faced challenges in core security operations tasks like threat detection and remediation, indicating a potential need for additional expertise regardless of structure.