Attacks/Breaches
11/2/2016
12:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Business Security Confidence Contradicts High Success Rate Of Attacks

Research indicates one in three cyberattacks results in a security breach, but most organizations are confident in their defense tactics.

One in three targeted attack attempts in the past 12 months led to a security breach, or about two- to three successful attacks per month for the average company.

This finding comes from a new Accenture report published today, entitled "Building Confidence: Facing the Cybersecurity Conundrum." Researchers surveyed 2,000 top security execs representing companies with annual revenue of $1B or more, to gauge their perceptions of cyber risk and the effectiveness of current security efforts and investments.

Enterprises experience about 106 coordinated attack attempts per year. And despite the high success rate of attacks, 75% of respondents say they can sufficiently defend their organizations. Seventy percent say their enterprise has a strong attitude towards cybersecurity.

This overconfidence, however, could be putting them at risk.

"We started seeing this paradox," says Kevin Richards, managing director of Accenture Security North America. "[Execs] were very confident, they thought they had a cybersecurity culture, but one-third of attacks were getting through."

Many businesses are ineffectively allocating their security budgets. The majority of respondents say internal breaches have the biggest impact; however, 58% prioritize developing perimeter security over focusing on high-impact insider threats.

There is a strong disconnect between current areas of focus, says Richards, and areas that could cause the greatest harm if breached. "Research painted a picture of how wide the gap is," he notes.

With larger budgets, 44- to 54% of respondents would "double down" on current priorities: protecting the organization's reputation (54%) and safeguarding business data (47%) and customer data (44%). Fewer would invest in efforts that affect the bottom line, like easing financial loss (28%) or improving cybersecurity training (17%).

Security pros are being out-innovated by the hackers targeting them. "We know how to write better code," says Richards. "We know which assets are important to us; we know where important data elements are. We can protect those."

The problem is, attackers can innovate faster because they don't have business obstacles like reporting cycles, budgets, and audit replies impeding their progress. Speeding time-to-market also pushes employees to deliver products without verifying security.

Security experts need to "out-innovate" their adversaries, says Ryan LaSalle, managing director of growth and strategy at Accenture Security. "As they up their game from an innovation perspective, we have to, too."

Going forward, execs' confidence will change as businesses have more frank discussions about their risks, defenses, and ability to mature their security programs, he says. Their goals should be less about eliminating risk and more about understanding it.

There are several measures organizations can take to improve their security posture so they understand risk and know what they need to do to combat it.

Security and business execs need to work more closely together. Corporate leaders are aware of various enterprise risks -- competitive, portfolio, operational, environmental -- but they don't always know about cyber risk, LaSalle says.

As business and security departments mature, this becomes more important. CEOs, CFOs, and COOs don't yet fully understand cyber risk, but they want to.

"Security teams need to articulate business exposure to a technical flaw," agrees Richards. "They need to educate the business impacts of cybersecurity challenges to the board and the C-suite. [Security] needs to start at the top and work its way down."

He also recommends pressure-testing the organization to find vulnerabilities before hackers do.

"Swing at it like a real attacker," he emphasizes. Screening technologies, while helpful, won't provide the same insight. "Attack it the way a human attacks it. Because then you know."

Related Content:

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.