Enterprises are getting hacked regularly, and over and over again: last year, more than 70% of organizations say they suffered a successful cyberattack, with 22% of them hit six or more times.
That first-hand experience apparently provides the backdrop for a drop in confidence, too: most security professionals don't believe they can stop attacks on their organizations anymore. Some 52% of security professionals surveyed in a new report from CyberEdge Group say their organizations will likely be successfully hacked in the next 12 months. That's an increase over 2013, when 39% were resigned to getting hacked, the report says.
"Security is finally waking up to the new reality that's more of a question of 'when' than 'if,'" says Steve Piper, CEO of CyberEdge Group, which provides research, marketing, and publishing services for various security vendors and service providers. "For the first time, a majority believe they will be victimized in the next 12 months. I predict this number is going to increase in the years ahead," too, he says.
Not surprisingly, attacks went up, from 62% of organizations in 2013 saying they had been hit, 16% of which were hit six or more times.
Meanwhile, security spending is inching upward: 62% of the security pros say their budgets will rise this year; that's up from 48% saying the same last year. Security funds make up on average 6- 10% of the IT budget, while security makes up 16% or more in one in five organizations.
John Pironti, president of IP Architects, LLC, says the security spending trend is still very much thanks to compliance requirements. "We absolutely fear the auditor more than the hacker," says Pironti, who next month at Interop will present a talk on what's next in security and risk management. "It all comes down to compliance spending. The more [regulatory and compliance requirements], the higher you see the security budget spend."
[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register for Dark Reading's Cyber Security Crash Course at Interop.]
Interestingly, the number of organizations with BYOD policies remained flat, at about 30%, and around 45% planning to roll out a secure BYOD plan in the next one to two years, down from 48% in 2013, the report found. "I would have expected that figure to go up. It actually held steady," Piper says. "The only thing we can suspect here is that the volume and sophistication of threats and high-profile attacks have caused CISOs to delay adoption of BYOD policies."
Setting a BYOD policy isn't so straightforward, of course. "In order to do it, you have to come to terms with a balance: the end user will always have final say on that device, no matter how many containers you put out there," IP Architects' Pironti says. Some organizations are looking at a more hybrid mobile policy, he says, with some corporate-issue devices when there's more sensitive apps such as corporate apps involved.
Meanwhile, many organizations are disillusioned with traditional endpoint security products, with 67% saying they were evaluating their endpoint anti-malware software, to either augment or replace them altogether. That's up from 56% in 2013. "Two-thirds of them are looking to augment or replace their existing endpoint defenses," says Piper, whose report was sponsored by Blue Coat Systems, Citrix, NetIQ, PhishMe, Tenable Network Security, ThreatTrack Security, Webroot, CloudLock, Cylance, Endgame, iSIGHT Partners, and Triumfant.