One in three targeted attack attempts in the past 12 months led to a security breach, or about two- to three successful attacks per month for the average company.
This finding comes from a new Accenture report published today, entitled "Building Confidence: Facing the Cybersecurity Conundrum." Researchers surveyed 2,000 top security execs representing companies with annual revenue of $1B or more, to gauge their perceptions of cyber risk and the effectiveness of current security efforts and investments.
Enterprises experience about 106 coordinated attack attempts per year. And despite the high success rate of attacks, 75% of respondents say they can sufficiently defend their organizations. Seventy percent say their enterprise has a strong attitude towards cybersecurity.
This overconfidence, however, could be putting them at risk.
"We started seeing this paradox," says Kevin Richards, managing director of Accenture Security North America. "[Execs] were very confident, they thought they had a cybersecurity culture, but one-third of attacks were getting through."
Many businesses are ineffectively allocating their security budgets. The majority of respondents say internal breaches have the biggest impact; however, 58% prioritize developing perimeter security over focusing on high-impact insider threats.
There is a strong disconnect between current areas of focus, says Richards, and areas that could cause the greatest harm if breached. "Research painted a picture of how wide the gap is," he notes.
With larger budgets, 44- to 54% of respondents would "double down" on current priorities: protecting the organization's reputation (54%) and safeguarding business data (47%) and customer data (44%). Fewer would invest in efforts that affect the bottom line, like easing financial loss (28%) or improving cybersecurity training (17%).
Security pros are being out-innovated by the hackers targeting them. "We know how to write better code," says Richards. "We know which assets are important to us; we know where important data elements are. We can protect those."
The problem is, attackers can innovate faster because they don't have business obstacles like reporting cycles, budgets, and audit replies impeding their progress. Speeding time-to-market also pushes employees to deliver products without verifying security.
Security experts need to "out-innovate" their adversaries, says Ryan LaSalle, managing director of growth and strategy at Accenture Security. "As they up their game from an innovation perspective, we have to, too."
Going forward, execs' confidence will change as businesses have more frank discussions about their risks, defenses, and ability to mature their security programs, he says. Their goals should be less about eliminating risk and more about understanding it.
There are several measures organizations can take to improve their security posture so they understand risk and know what they need to do to combat it.
Security and business execs need to work more closely together. Corporate leaders are aware of various enterprise risks -- competitive, portfolio, operational, environmental -- but they don't always know about cyber risk, LaSalle says.
As business and security departments mature, this becomes more important. CEOs, CFOs, and COOs don't yet fully understand cyber risk, but they want to.
"Security teams need to articulate business exposure to a technical flaw," agrees Richards. "They need to educate the business impacts of cybersecurity challenges to the board and the C-suite. [Security] needs to start at the top and work its way down."
He also recommends pressure-testing the organization to find vulnerabilities before hackers do.
"Swing at it like a real attacker," he emphasizes. Screening technologies, while helpful, won't provide the same insight. "Attack it the way a human attacks it. Because then you know."