Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/2/2016
12:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Business Security Confidence Contradicts High Success Rate Of Attacks

Research indicates one in three cyberattacks results in a security breach, but most organizations are confident in their defense tactics.

One in three targeted attack attempts in the past 12 months led to a security breach, or about two- to three successful attacks per month for the average company.

This finding comes from a new Accenture report published today, entitled "Building Confidence: Facing the Cybersecurity Conundrum." Researchers surveyed 2,000 top security execs representing companies with annual revenue of $1B or more, to gauge their perceptions of cyber risk and the effectiveness of current security efforts and investments.

Enterprises experience about 106 coordinated attack attempts per year. And despite the high success rate of attacks, 75% of respondents say they can sufficiently defend their organizations. Seventy percent say their enterprise has a strong attitude towards cybersecurity.

This overconfidence, however, could be putting them at risk.

"We started seeing this paradox," says Kevin Richards, managing director of Accenture Security North America. "[Execs] were very confident, they thought they had a cybersecurity culture, but one-third of attacks were getting through."

Many businesses are ineffectively allocating their security budgets. The majority of respondents say internal breaches have the biggest impact; however, 58% prioritize developing perimeter security over focusing on high-impact insider threats.

There is a strong disconnect between current areas of focus, says Richards, and areas that could cause the greatest harm if breached. "Research painted a picture of how wide the gap is," he notes.

With larger budgets, 44- to 54% of respondents would "double down" on current priorities: protecting the organization's reputation (54%) and safeguarding business data (47%) and customer data (44%). Fewer would invest in efforts that affect the bottom line, like easing financial loss (28%) or improving cybersecurity training (17%).

Security pros are being out-innovated by the hackers targeting them. "We know how to write better code," says Richards. "We know which assets are important to us; we know where important data elements are. We can protect those."

The problem is, attackers can innovate faster because they don't have business obstacles like reporting cycles, budgets, and audit replies impeding their progress. Speeding time-to-market also pushes employees to deliver products without verifying security.

Security experts need to "out-innovate" their adversaries, says Ryan LaSalle, managing director of growth and strategy at Accenture Security. "As they up their game from an innovation perspective, we have to, too."

Going forward, execs' confidence will change as businesses have more frank discussions about their risks, defenses, and ability to mature their security programs, he says. Their goals should be less about eliminating risk and more about understanding it.

There are several measures organizations can take to improve their security posture so they understand risk and know what they need to do to combat it.

Security and business execs need to work more closely together. Corporate leaders are aware of various enterprise risks -- competitive, portfolio, operational, environmental -- but they don't always know about cyber risk, LaSalle says.

As business and security departments mature, this becomes more important. CEOs, CFOs, and COOs don't yet fully understand cyber risk, but they want to.

"Security teams need to articulate business exposure to a technical flaw," agrees Richards. "They need to educate the business impacts of cybersecurity challenges to the board and the C-suite. [Security] needs to start at the top and work its way down."

He also recommends pressure-testing the organization to find vulnerabilities before hackers do.

"Swing at it like a real attacker," he emphasizes. Screening technologies, while helpful, won't provide the same insight. "Attack it the way a human attacks it. Because then you know."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.