Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/2/2016
12:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Business Security Confidence Contradicts High Success Rate Of Attacks

Research indicates one in three cyberattacks results in a security breach, but most organizations are confident in their defense tactics.

One in three targeted attack attempts in the past 12 months led to a security breach, or about two- to three successful attacks per month for the average company.

This finding comes from a new Accenture report published today, entitled "Building Confidence: Facing the Cybersecurity Conundrum." Researchers surveyed 2,000 top security execs representing companies with annual revenue of $1B or more, to gauge their perceptions of cyber risk and the effectiveness of current security efforts and investments.

Enterprises experience about 106 coordinated attack attempts per year. And despite the high success rate of attacks, 75% of respondents say they can sufficiently defend their organizations. Seventy percent say their enterprise has a strong attitude towards cybersecurity.

This overconfidence, however, could be putting them at risk.

"We started seeing this paradox," says Kevin Richards, managing director of Accenture Security North America. "[Execs] were very confident, they thought they had a cybersecurity culture, but one-third of attacks were getting through."

Many businesses are ineffectively allocating their security budgets. The majority of respondents say internal breaches have the biggest impact; however, 58% prioritize developing perimeter security over focusing on high-impact insider threats.

There is a strong disconnect between current areas of focus, says Richards, and areas that could cause the greatest harm if breached. "Research painted a picture of how wide the gap is," he notes.

With larger budgets, 44- to 54% of respondents would "double down" on current priorities: protecting the organization's reputation (54%) and safeguarding business data (47%) and customer data (44%). Fewer would invest in efforts that affect the bottom line, like easing financial loss (28%) or improving cybersecurity training (17%).

Security pros are being out-innovated by the hackers targeting them. "We know how to write better code," says Richards. "We know which assets are important to us; we know where important data elements are. We can protect those."

The problem is, attackers can innovate faster because they don't have business obstacles like reporting cycles, budgets, and audit replies impeding their progress. Speeding time-to-market also pushes employees to deliver products without verifying security.

Security experts need to "out-innovate" their adversaries, says Ryan LaSalle, managing director of growth and strategy at Accenture Security. "As they up their game from an innovation perspective, we have to, too."

Going forward, execs' confidence will change as businesses have more frank discussions about their risks, defenses, and ability to mature their security programs, he says. Their goals should be less about eliminating risk and more about understanding it.

There are several measures organizations can take to improve their security posture so they understand risk and know what they need to do to combat it.

Security and business execs need to work more closely together. Corporate leaders are aware of various enterprise risks -- competitive, portfolio, operational, environmental -- but they don't always know about cyber risk, LaSalle says.

As business and security departments mature, this becomes more important. CEOs, CFOs, and COOs don't yet fully understand cyber risk, but they want to.

"Security teams need to articulate business exposure to a technical flaw," agrees Richards. "They need to educate the business impacts of cybersecurity challenges to the board and the C-suite. [Security] needs to start at the top and work its way down."

He also recommends pressure-testing the organization to find vulnerabilities before hackers do.

"Swing at it like a real attacker," he emphasizes. Screening technologies, while helpful, won't provide the same insight. "Attack it the way a human attacks it. Because then you know."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20619
PUBLISHED: 2021-01-19
Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2020-29450
PUBLISHED: 2021-01-19
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
CVE-2020-36192
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.