Senior executives have much greater confidence in their organisation’s cybersecurity defences than security analysts working at the coalface, a report by network detection and response firm Vectra has found.

A global survey of 1,112 security professionals at mid to large-sized organisations using Microsoft Office 365 found that 71% of deployments had suffered an account takeover an average of seven times in the past year.

Such attacks occur when a cybercriminal gains access to a user’s account credentials. These details are often stolen in cyberattacks and then traded on criminal forums. Because many people reuse the same password across multiple services, malicious hackers can gain access to accounts with relative ease using credential stuffing. Once inside, the cybercriminal can launch further attacks including sending phishing emails under somebody else’s name.

When asked how confident they were at detecting 356 account takeovers, 35% of executives said they would be able to do so immediately. However, just 21% of those managing teams of security operations centre (SOC) analysts said they believed they could prevent such attacks immediately. Across varying timeframes of detection, senior management consistently had more confidence than analysts in their ability to detect account takeovers at speed.

“The tendency for managers to be significantly more confident that those working at the coalface suggests that there is a level of self-delusion going on here,” said Tim Wade, technical director of the CTO team at Vectra. “Perhaps it’s because the metrics that are being shared with senior management often focus more on the volume of attacks stopped rather than the severity of the attack or the number of investigations that reach a firm conclusion.

“Whatever the reason it’s important not to be complacent and remain constantly vigilant of new types of attacks.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Kevin Orritt, ICT security manager at Greater Manchester Mental Health NHS Foundation Trust, said the disconnect could be explained by senior management seeing security investment as a box-ticking exercise.

“While the investment is certainly welcome and helps us reduce risk, in reality it isn’t that simple,” he said. “We still need the people to be able to interpret and action the alerts and make sure that we’re actually measuring the right things.”

Multifactor authentication (MFA) is one way to limit the risk of such attacks. However, it is not a silver bullet, with techniques such as sim swapping an increasingly prevalent way to bypass MFA.

“We’re regularly seeing identity-based attacks being used to circumnavigate traditional perimeter defences like multi-factor authentication (MFA),” said Wade. “Account takeovers are replacing phishing as the most common attack vector and MFA defences are speed bumps, not forcefields.”

The account takeover concern most likely to keep Microsoft Office365 customers up at night is the theft of data stored in the cloud.

Other findings from the research show that identity-based attacks and IoT hacks are the two top security concerns among IT professionals for 2021.

The pandemic has accelerated cloud migration among organisations – for 88% of companies, according to Vectra – which means an increasing attack surface for cybercriminals. Meanwhile, some 58% of respondents believe the gap in cyber capabilities is widening between security professionals and cybercriminals.

Previous research by Vectra tracked four million Microsoft Office365 customers over a 90 day period, finding that 96% of networks showed signs of potentially suspicious activity.

Read more: 1 in 3 email hackers camp out in accounts for over a week

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up