Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/28/2018
02:30 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Data Breach Threats Bigger Than Ever

A quarter of IT and security leaders expect a major data breach in the next year.

In its 2018 Strategic Security Survey (registration required), Dark Reading polled some 300 IT and security leaders and found that more organizations, not fewer, expect to face data breaches in the coming year compared with the previous year's survey. Moreover, the companies believe they're not fully ready to protect their data against intruders.

A large proportion of respondents expect that staffers with privileged access might be the source of a breach, but they're also wary of attackers from outside mounting one of many sophisticated new attacks. A growing attack surface, distributed denial-of-service extortion, targeted attacks, and ransomware are contributing to the unease that many organizations sense. But concerns about overstaffing and budgets seem to have abated compared to the level of worry expressed in 2017. Almost one in five (19%) respondents said they believe their companies are more vulnerable to data breaches than a year ago, a somewhat higher number than the 17% who felt that way last year. The proportion of respondents who believe their company's data-breach exposure hasn't changed has dropped. In Dark Reading's 2017 survey, 55% of respondents said their vulnerability to data breaches had remained stable over the past 12 months; this year, only 48% made that claim.

These results are worrying. The money poured into cybersecurity has skyrocketed in recent years, yet most companies feel that investment hasn't translated into the ironclad security they need.

Cybercrime and Targeted Attacks on the Rise
Sixty-one percent of respondents said that the most likely reason for a major data breach next year would be a negligent end user or an employee breaking the company's Internet-use policy. This gloomy prediction is probably attributable to the hugely disruptive successes that hackers have racked up by targeting corporate end users and executives.

That said, just over half of the survey respondents said cybercriminals are the biggest threat to their security. Twenty-six percent of IT departments expect a serious breach next year stemming from a targeted attack, and 21% have already experienced one, up from 17% who reported having one in last year's survey. Another reason why targeted threats are a growing problem is simply that more people are aware of them. In the last few years, Western intelligence agencies have uncovered state-sponsored attackers — especially from Russia, China, and North Korea — who are launching laser-targeted assaults on companies with critical infrastructure.

The Cost of an Average Breach: $3.62 million
Last year, the Ponemon Institute estimated the average global cost of a data breach was $3.62 million, or about $141 per record. Costs in the US are nearly twice that. Cyberattacks of any kind can have brutal financial ramifications: 17% of respondents lost between $100,000 and $999,999, 9% lost between $1 million and $4.9 million, and 2% lost more than $5 million.

One might think that with so much money at stake, top executives would be spending more time learning how to make their companies more secure. Some of them are: 25% of the IT and security pros in the Dark Reading survey are satisfied that their corner-office teams are sufficiently security-savvy. But 39% say their top managers understand the business risks of data breaches but aren't sure how to quantify them. Both numbers are lower than the 29% and 45% reported last year. A quarter of respondents said their top managers don't really get how breaches might disrupt or even destroy the business, compared with 18% who reported a similar lack of comprehension last year. The numbers suggest that top managers are getting worse, not better, at grasping the potential consequences of data breaches.

App Security Emerges as Weakest Link in the Value Chain
Yet another cyber vulnerability is rooted in applications. Forty-two percent of the survey respondents say bugs in programs are their biggest data security threat, a percentage  in line with the 41% reported in the 2017 survey. These security concerns are familiar: Countless security studies and reports in the past few years have shined a spotlight on the high prevalence of vulnerabilities such as SQL injection and cross-site scripting. More recently, these issues have grown worse because of the rising popularity of software development models such as DevOps and agile, which tend to prioritize speed of development and delivery over security. Experts in the latter sphere also worry about the frequent use of open source code in today's software because some of it may undergo insufficient security testing.

Once again, malware and phishing were cited as the top two online problems. While 52% of respondents said they had suffered a malware-related breach, 48% said they'd been phishing targets. Ransomware was the third most-cited reason for a security breach in 2017, but the proportion of respondents (16%) that said they'd been victims of a ransomware attack was down substantially from previous surveys.

Conclusion
Evidently, data breach concerns are higher than ever —although more people are aware of breaches and are spending more money on cybersecurity solutions to prevent them. The growing number of highly sophisticated threats and targeted attacks is not only wreaking financial damage but also leaving many organizations wondering whether they're capable of doing enough to protect their data. Compared with last year, more organizations expect to suffer a major breach in the next 12 months, and most feel that breach will stem from an employee's careless actions rather than an outside attacker. Perhaps most troubling, top management seems to be less security-savvy than last year. It's clear that many organizations will run into some major potholes on the Internet highway in the coming year.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7989
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userUsername XSS.
CVE-2020-7990
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userName XSS.
CVE-2020-7991
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.
CVE-2020-7984
PUBLISHED: 2020-01-26
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/a...
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...