"We Know Our Products"

7 Uncomfortable Truths of Endpoint Security

4 April 2019 - A report released by Sophos reveals that IT managers are more likely to catch cybercriminals on their organization's servers and networks than anywhere else.

The report is a result of an independent survey of 3,100 IT managers commissioned by Sophos. The resulting paper reveals the experiences, concerns and future plans of organizations in 12 countries and six continents. It provides deep insight into the day-to-day challenges IT teams face securing their organizations against cyberattacks, as well as their experiences with endpoint detection and response (EDR) technologies.

The Survey

U.K.-based research house Vanson Bourne interviewed 3,100 IT decision makers between December 2018 and January 2019. To provide a representative size split within each country, respondents were split equally between 100 to 1,000 user organizations and 1,001 to 5,000 user organizations.

Sophos survey respondent analysis

Truth #1: It is now the norm to be a cyberattack victim

More than two-thirds (68%) of organizations say they were hit by a cyberattack in the last year. Larger organizations suffered more attacks (73%) than smaller ones (63%). There are two likely reasons for this difference :

Of course, these are just the attacks that organizations have discovered. The actual number could well be higher.

The key takeaway here is that everyone should assume that they will be victim of a cyberattack. Start from this position when planning and evaluating your security strategy, rather than assuming that threats won't get through or you will evade the attention of attackers.

Truth #2: IT teams lack visibility into attacker dwell time

We asked organizations how long it took to discover the most significant cyberattack in the last year. For those that knew the answer, the average was 13 hours.

Clearly 13 hours is a huge amount of time for a hacker to have uninterrupted access to your systems and data. In this amount of time, a cybercriminal can wreak significant damage, including exfiltrating sensitive data, stealing credentials, installing money-stealing Trojans, installing ransomware, and more.

The time it takes to discover threats varies from country to country: Australia, Brazil and Canada are quickest, taking 10 hours on average; while at the other end of the spectrum, Japanese IT teams take on average 17 hours.

Sophos survey time to detect threat

Thirteen hours is just the tip of the iceberg

While 13 hours is a long time, it is important to remember this this is actually a best-case scenario.

Furthermore, the average dwell time of 13 hours cited by the 1,744 survey respondents who knew how long the threat was in their organization's environment before it was detected may at first glance seem incongruous with other research, such as the Verizon Data Breach Investigations Report, which states that 68% of data breaches take months or longer to discover. This difference in data is hugely illuminating and provides deeper understanding into the realities facing organizations that do not currently have a robust dedicated threat detection and response team.

Truth #3: IT teams can't plug their security gaps because they don't know what they are

A key element of an effective security strategy is to stop threats from getting into the organization in the first place. Yet one in five IT managers are unaware how their most significant cyberattack entered their organizations. As a result they are unable to protect these entry points.

Sophos survey cyberattach awareness

Larger organizations are more likely to know how threats got in than smaller ones. This is likely due both to having more skilled resources and more comprehensive cybersecurity solutions than smaller companies. Often smaller organizations simply don't have the resources or expertise to investigate what happened during an attack – instead, they just focus on cleaning it up. Cybercriminals target organizations of every size. However, the inability of smaller companies to identify their security holes means they are more vulnerable.

Truth #4: Organizations lose 41 days each year investigating non-issues

Organizations spend, on average, four days a month investigating potential security issues, or 48 days a year. However only 15% turn out to be actual infections. As a result, organizations are spending 85% of the time investigating non-issues, equivalent to around 41 days each year. This clearly has significant financial and productivity implications :

This huge inefficiency also helps explain why the most desired EDR feature is identification of suspicious events. By having effective tools in place to help organizations identify what is suspicious, they can focus their limited resources in the right places, rather than searching for needles in a haystack.

Truth #5: Four out of five organizations are struggling with threat detection and response due to lack of security expertise

Lack of security expertise in the face of these threat challenges is a major issue. With 80% of IT managers admitting they wish they had a stronger team in place to properly detect, investigate, and respond to security incidents, it's clear that organizations are flying blind due to a shortage of cybersecurity skills.

Sophos survey lack of security expertise

There is a marked difference in desire for a stronger team between organizations that were hit by a cyberattack (85% want a stronger team) and those that weren't (71% want a stronger team). This suggests that those organizations that have suffered a cyberattack show greater awareness, both of their own lack of security expertise (they've learned the hard way that threats can get through their defenses) and of the challenges in stopping today's advanced attacks and the need for specialist cybersecurity skills to address them.

Unfortunately, addressing this shortage of skills is no easy task. While organizations recognize they need better help, bringing that help into the business is another matter. A full 79% of respondents agree that cybersecurity recruitment is a challenge. In this light, putting the teams they need in place is an uphill battle, and organizations will have the lean on technology such as artificial intelligence to fill in the gaps.

Truth #6: More than half of organizations don't see the value of their EDR solutions

EDR has swiftly become must-have technology. More than nine out of 10 IT managers surveyed (93%) either have or plan to have EDR in their security arsenals. Of those respondents who don't currently have EDR, a massive 89% plan to add it to their defenses, with 61% planning to do so within the next six months. In light of the earlier revelations about time spent investigating security incidents and the lack of visibility into the threat chain, these EDR plans make a lot of sense.

Interestingly, we see almost equal demand for EDR from both smaller and larger organizations. EDR is clearly no longer exclusive to big enterprises, but rather a tool for all.

Sophos survey EDR adoption plan

In all countries other than Japan, at least 8 in 10 organizations without EDR technology plan to add it. India tops the list with 99% of organizations that don't currently have EDR planning to add it, closely followed by Australia (97%), the U.S. and Brazil (both 95%). However in Japan just one in three (34%) organizations without EDR technology plan to add it to their security defenses.

Truth #7: Once bitten, twice shy – cyber victims learn the hard way

The survey revealed very distinct differences in some areas between those who had been victims of a cyberattack and those who had avoided hackers. Organizations that fell victim to a cyberattack in the last year are :

Sophos survey after cyberattack

There are likely a few factors at play here :

  1. They’ve dialed up their security following the incident. Victims will likely have a much greater appreciation of the impact of cyberattacks and are willing to dedicate more time, effort, and resources to stopping them.
  2. They have limited visibility into their environment. Poor cyber defenses mean more threats get through and they have less ability to look into them. As a result, they have more potential incidents to investigate, with less tools to do so, which takes more time.
  3. They’re more aware of what to look for. As a result of suffering an attack, these organizations are more conscious of the signs that should make them suspicious.


Cybersecurity is an ever-present challenge for organizations of all sizes across the globe. In this light, there are several important points we can take from the experiences of 3,100 IT managers across 12 countries and six continents.

First, when planning their cybersecurity strategies, organizations should start from the assumption that a threat will make its way through their defenses. While doing so, they should also be mindful of the limitations to their visibility into threats and their resulting inability to identify – and block – the gaps in their security armor.

Second, the vast majority of organizations see EDR as an integral part of their security strategies. This is no surprise; EDR is an effective tool to address a number of the challenges highlighted in the survey. At a time when cybersecurity skills are in short supply, an intelligent EDR solution can provide the threat insight and expertise needed to stay ahead of threats.

However, as the survey revealed, simply purchasing EDR is not enough. For far too many organizations, their investments in EDR turn out to be money wasted as they are unable to take full advantage of their EDR solutions. To avoid falling into this trap, every organization should fully consider both the capabilities and usability of an EDR solution before adding it to their security arsenal.