Attacks/Breaches

11/2/2016
12:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Business Security Confidence Contradicts High Success Rate Of Attacks

Research indicates one in three cyberattacks results in a security breach, but most organizations are confident in their defense tactics.

One in three targeted attack attempts in the past 12 months led to a security breach, or about two- to three successful attacks per month for the average company.

This finding comes from a new Accenture report published today, entitled "Building Confidence: Facing the Cybersecurity Conundrum." Researchers surveyed 2,000 top security execs representing companies with annual revenue of $1B or more, to gauge their perceptions of cyber risk and the effectiveness of current security efforts and investments.

Enterprises experience about 106 coordinated attack attempts per year. And despite the high success rate of attacks, 75% of respondents say they can sufficiently defend their organizations. Seventy percent say their enterprise has a strong attitude towards cybersecurity.

This overconfidence, however, could be putting them at risk.

"We started seeing this paradox," says Kevin Richards, managing director of Accenture Security North America. "[Execs] were very confident, they thought they had a cybersecurity culture, but one-third of attacks were getting through."

Many businesses are ineffectively allocating their security budgets. The majority of respondents say internal breaches have the biggest impact; however, 58% prioritize developing perimeter security over focusing on high-impact insider threats.

There is a strong disconnect between current areas of focus, says Richards, and areas that could cause the greatest harm if breached. "Research painted a picture of how wide the gap is," he notes.

With larger budgets, 44- to 54% of respondents would "double down" on current priorities: protecting the organization's reputation (54%) and safeguarding business data (47%) and customer data (44%). Fewer would invest in efforts that affect the bottom line, like easing financial loss (28%) or improving cybersecurity training (17%).

Security pros are being out-innovated by the hackers targeting them. "We know how to write better code," says Richards. "We know which assets are important to us; we know where important data elements are. We can protect those."

The problem is, attackers can innovate faster because they don't have business obstacles like reporting cycles, budgets, and audit replies impeding their progress. Speeding time-to-market also pushes employees to deliver products without verifying security.

Security experts need to "out-innovate" their adversaries, says Ryan LaSalle, managing director of growth and strategy at Accenture Security. "As they up their game from an innovation perspective, we have to, too."

Going forward, execs' confidence will change as businesses have more frank discussions about their risks, defenses, and ability to mature their security programs, he says. Their goals should be less about eliminating risk and more about understanding it.

There are several measures organizations can take to improve their security posture so they understand risk and know what they need to do to combat it.

Security and business execs need to work more closely together. Corporate leaders are aware of various enterprise risks -- competitive, portfolio, operational, environmental -- but they don't always know about cyber risk, LaSalle says.

As business and security departments mature, this becomes more important. CEOs, CFOs, and COOs don't yet fully understand cyber risk, but they want to.

"Security teams need to articulate business exposure to a technical flaw," agrees Richards. "They need to educate the business impacts of cybersecurity challenges to the board and the C-suite. [Security] needs to start at the top and work its way down."

He also recommends pressure-testing the organization to find vulnerabilities before hackers do.

"Swing at it like a real attacker," he emphasizes. Screening technologies, while helpful, won't provide the same insight. "Attack it the way a human attacks it. Because then you know."

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.