Attacks/Breaches
3/16/2015
05:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Most Companies Expect To Be Hacked In The Next 12 Months

Security spending increases, while confidence in stopping cyber attacks decreases, new report shows.

Enterprises are getting hacked regularly, and over and over again: last year, more than 70% of organizations say they suffered a successful cyberattack, with 22% of them hit six or more times.

That first-hand experience apparently provides the backdrop for a drop in confidence, too:  most security professionals don't believe they can stop attacks on their organizations anymore. Some 52% of security professionals surveyed in a new report from CyberEdge Group say their organizations will likely be successfully hacked in the next 12 months. That's an increase over 2013, when 39% were resigned to getting hacked, the report says.

"Security is finally waking up to the new reality that's more of a question of 'when' than 'if,'" says Steve Piper, CEO of CyberEdge Group, which provides research, marketing, and publishing services for various security vendors and service providers. "For the first time, a majority believe they will be victimized in the next 12 months. I predict this number is going to increase in the years ahead," too, he says.

Not surprisingly, attacks went up, from 62% of organizations in 2013 saying they had been hit, 16% of which were hit six or more times.

Meanwhile, security spending is inching upward: 62% of the security pros say their budgets will rise this year; that's up from 48% saying the same last year. Security funds make up on average 6- 10% of the IT budget, while security makes up 16% or more in one in five organizations.

John Pironti, president of IP Architects, LLC, says the security spending trend is still very much thanks to compliance requirements. "We absolutely fear the auditor more than the hacker," says Pironti, who next month at Interop will present a talk on what's next in security and risk management. "It all comes down to compliance spending. The more [regulatory and compliance requirements], the higher you see the security budget spend."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register for Dark Reading's Cyber Security Crash Course at Interop.]

Interestingly, the number of organizations with BYOD policies remained flat, at about 30%, and around 45% planning to roll out a secure BYOD plan in the next one to two years, down from 48% in 2013, the report found. "I would have expected that figure to go up. It actually held steady," Piper says. "The only thing we can suspect here is that the volume and sophistication of threats and high-profile attacks have caused CISOs to delay adoption of BYOD policies."

Setting a BYOD policy isn't so straightforward, of course. "In order to do it, you have to come to terms with a balance: the end user will always have final say on that device, no matter how many containers you put out there," IP Architects' Pironti says. Some organizations are looking at a more hybrid mobile policy, he says, with some corporate-issue devices when there's more sensitive apps such as corporate apps involved.

Meanwhile, many organizations are disillusioned with traditional endpoint security products, with 67% saying they were evaluating their endpoint anti-malware software, to either augment or replace them altogether. That's up from 56% in 2013. "Two-thirds of them are looking to augment or replace their existing endpoint defenses," says Piper, whose report was sponsored by Blue Coat Systems, Citrix, NetIQ, PhishMe, Tenable Network Security, ThreatTrack Security, Webroot, CloudLock, Cylance, Endgame, iSIGHT Partners, and Triumfant.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/4/2015 | 8:01:44 PM
Re: Is it 'Game Over'? In my mind, no
Two points: 1) Obviously, if a breach has occurred, it's difficult to determine exactly what data has been "taken" -- so you have to assume that everything accessed or accessible has all been compromised, and 2) whether or not the data was "taken," if it was viewed or otherwise accessed, there are still compliance/regulatory issues to address -- regardless of what the actual facts are about what data was "taken"/recorded by the breacher.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/4/2015 | 7:58:56 PM
Re: Break the CISO Role in Two
My philosophy is that it's all a matter of risk assessment, and therefore one ought take a holistic approach to both technical compliance and actual security.  At the end of the day, it's all a matter of risk and ROI.  Neither should be ignored, but should definitely be viewed through the scope of the needs of the whole organization.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/19/2015 | 4:35:31 PM
Re: Is it 'Game Over'? In my mind, no
Good point, @xmarksthespot. The study didn't specify DATA breach, but a breach of network or systems. We don't know about stolen information per se. 
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/19/2015 | 2:42:09 PM
Re: Break the CISO Role in Two
I stand corrected. have a good one.
Paladium
50%
50%
Paladium,
User Rank: Moderator
3/19/2015 | 2:40:54 PM
Re: Break the CISO Role in Two
So far we are tracking. I was implying that the "General" was the Cyber Security Officer and he/she was a fully trained and deeply experienced Sr. Cyber Security Professional. They actually have a clue!!
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/19/2015 | 1:41:14 PM
Re: Break the CISO Role in Two
I agree, IT Security and Compliance should be separate departments AND neither should report up through the CIO, as is becoming the common thing to do. Working together with IT, setting (physically) with IT is fine, but to keep objectivity in reporting and deciding what is best for the company they need to report to the same person as the CIO or someone of equal ranking.

But, I would go a step further to say that there should be a third "peer" added to that mix, internal audit. If you have people who understand how to look at the business systems and configurations and what security measures\processes have been put into place there and also understand what the compliance regulations are for those business systems and what levels of security are acceptable and if that is articulated properly then the company should be golden, or they should at the very least know what their problems are and what they need to do to address them. And by keeping these three departments separate from IT would mean that everything should not have to come from the IT budget. Security and compliance should have their own budgets, because how many times have we all seen security recommend something and IT says no because they don't want to pay for it... but if security, compliance and audit could be involved in the development of these systems then some of those costs could possibly be charged off to the business as requirements.

One last thing, security and compliance were not always under the same hat, this only came about because CISO's and CIO's knew that sometimes the best way to get the funding for something security related was to play the "compliance card" when neither had the budget nor the "horsepower to get it down, so senior management said, OK, then we'll lump the two of you together and let you share a budget.

"You want the cyber war won?  Put a General trained in cyber security warfare in charge, not a compliance or risk weeny!"

After 22 years service, been there done that, got the tee-shirt. In my opinion, that's the LAST thing we need... another high level diva playing high level diva games... besides, that's probably what someone said about the "War on Drugs", and how's that working out.
xmarksthespot
100%
0%
xmarksthespot,
User Rank: Apprentice
3/19/2015 | 2:02:40 AM
Is it 'Game Over'? In my mind, no
Highlighting the uphill battle facing security professionals is important, and this article does that well.

Statistics can show one thing but be misleading.  "70% of organizations say they suffered a successful cyberattack".  If I took it at face value, meaning '70% of all the companies I do business with lost all my personal data to organized crime', I would immediately build a bunker in Alaska right now, and wait out the end.  I think the definition of 'successful cyberattack' should be clarified. Breach disclosures are mandated by laws in every state, and if 70% of all organizations needed to report breaches, the daily newspaper would be an inch thick the whole year, with the reports breaches.

Methodologies for information security are sound.  They work well at many companies.  Unfortunately, many companies, some of them in the 'too big to fail' category, can't get it right.  Generally speaking, improperly protected ones will suffer large financial consequences for breaches.

I believe that what the report really means by 'successful cyberattack' might mean that a hacker got into at least one computer, and may not have stolen anything.  The definition may have been left up to a cyber-security professional taking a survey.   If you include small breaches with no loss of data, sure the number's going to be huge.

It's not 'game over' when a foothold is gained.  It's only 'game over' when a personally identifiable information or a significant amount of other valuable data are exfiltrated, in my mind.

That's what defense-in-depth is for; the attacker was stopped at their foothold with defense in depth.  Encrypted network communications, encrypted data, network segmentation, hardened hosts throughout.

 If I heard that 97% of companies suffered from successful endpoint breach with no loss to personally identifiable information (PII) or business data, I would deem that a rousing success.

 
Paladium
100%
0%
Paladium,
User Rank: Moderator
3/18/2015 | 5:57:22 PM
Break the CISO Role in Two
As the author states most security budgets are unfortunately tied directly to compliance requirements.  Since compliance standards are NOT security frameworks the hacks will continue until morale improves!

In other articles here on Dark Reading authors have suggested that the current security model is broken, or that Security Operations is at fault for the many, many security breaches over the past couple of years.  I see it far, far differently.

Riddle me this Batman.... When will compliance and security be broken into two separate, but equal peer roles?

The days of the traditional CISO are over and insisting on keeping them creates real added risk to organizations due to the existential cyber threat we face today.  They are not prepared! (yes, there are rare exceptions...)

Decouple compliance from security and make them peers.  Break the role into Operational Risk Officer and Cyber Security Officer, both reporting to sr. executive leadership, both with direct board access, and both with separate budgets.

Until we decouple cyber from compliance, 1) cyber will continue to suffer across the board, 2) be restricted to only compliance driven security requirements instead of real cyber security frameworks, and 3) companies will continue to have their cyber security run by compliance people that have zero clue into the world of true cyber security, resulting in more breaches and more finger pointing.

You want the cyber war won?  Put a General trained in cyber security warfare in charge, not a compliance or risk weeny!

Rgr Out!

 

(Let the flaming begin....)
ODA155
100%
0%
ODA155,
User Rank: Ninja
3/18/2015 | 4:45:37 PM
Re: Good.
I have two things to comment on...
    
"Most Companies Expect To Be Hacked In The Next 12 Months"
OK... so the question is what are they doing to "lessen" the impact, because like AA, admitting that you have a problem is the first step.

...and...

"Security is finally waking up to the new reality that's more of a question of 'when' than 'if,'" says Steve Piper, CEO of CyberEdge Group..."
I don't think anyone has been sleeping, especially not security, but more attention is always paid to the business versus anything that doesn't make money...
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
3/18/2015 | 8:24:03 AM
Re: Good.
Well, there's only so much you can do to cure stupid...  ;)
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.