In its 2018 Strategic Security Survey (registration required), Dark Reading polled some 300 IT and security leaders and found that more organizations, not fewer, expect to face data breaches in the coming year compared with the previous year's survey. Moreover, the companies believe they're not fully ready to protect their data against intruders.
A large proportion of respondents expect that staffers with privileged access might be the source of a breach, but they're also wary of attackers from outside mounting one of many sophisticated new attacks. A growing attack surface, distributed denial-of-service extortion, targeted attacks, and ransomware are contributing to the unease that many organizations sense. But concerns about overstaffing and budgets seem to have abated compared to the level of worry expressed in 2017. Almost one in five (19%) respondents said they believe their companies are more vulnerable to data breaches than a year ago, a somewhat higher number than the 17% who felt that way last year. The proportion of respondents who believe their company's data-breach exposure hasn't changed has dropped. In Dark Reading's 2017 survey, 55% of respondents said their vulnerability to data breaches had remained stable over the past 12 months; this year, only 48% made that claim.
These results are worrying. The money poured into cybersecurity has skyrocketed in recent years, yet most companies feel that investment hasn't translated into the ironclad security they need.
Cybercrime and Targeted Attacks on the Rise
Sixty-one percent of respondents said that the most likely reason for a major data breach next year would be a negligent end user or an employee breaking the company's Internet-use policy. This gloomy prediction is probably attributable to the hugely disruptive successes that hackers have racked up by targeting corporate end users and executives.
That said, just over half of the survey respondents said cybercriminals are the biggest threat to their security. Twenty-six percent of IT departments expect a serious breach next year stemming from a targeted attack, and 21% have already experienced one, up from 17% who reported having one in last year's survey. Another reason why targeted threats are a growing problem is simply that more people are aware of them. In the last few years, Western intelligence agencies have uncovered state-sponsored attackers — especially from Russia, China, and North Korea — who are launching laser-targeted assaults on companies with critical infrastructure.
The Cost of an Average Breach: $3.62 million
Last year, the Ponemon Institute estimated the average global cost of a data breach was $3.62 million, or about $141 per record. Costs in the US are nearly twice that. Cyberattacks of any kind can have brutal financial ramifications: 17% of respondents lost between $100,000 and $999,999, 9% lost between $1 million and $4.9 million, and 2% lost more than $5 million.
One might think that with so much money at stake, top executives would be spending more time learning how to make their companies more secure. Some of them are: 25% of the IT and security pros in the Dark Reading survey are satisfied that their corner-office teams are sufficiently security-savvy. But 39% say their top managers understand the business risks of data breaches but aren't sure how to quantify them. Both numbers are lower than the 29% and 45% reported last year. A quarter of respondents said their top managers don't really get how breaches might disrupt or even destroy the business, compared with 18% who reported a similar lack of comprehension last year. The numbers suggest that top managers are getting worse, not better, at grasping the potential consequences of data breaches.
App Security Emerges as Weakest Link in the Value Chain
Yet another cyber vulnerability is rooted in applications. Forty-two percent of the survey respondents say bugs in programs are their biggest data security threat, a percentage in line with the 41% reported in the 2017 survey. These security concerns are familiar: Countless security studies and reports in the past few years have shined a spotlight on the high prevalence of vulnerabilities such as SQL injection and cross-site scripting. More recently, these issues have grown worse because of the rising popularity of software development models such as DevOps and agile, which tend to prioritize speed of development and delivery over security. Experts in the latter sphere also worry about the frequent use of open source code in today's software because some of it may undergo insufficient security testing.
Once again, malware and phishing were cited as the top two online problems. While 52% of respondents said they had suffered a malware-related breach, 48% said they'd been phishing targets. Ransomware was the third most-cited reason for a security breach in 2017, but the proportion of respondents (16%) that said they'd been victims of a ransomware attack was down substantially from previous surveys.
Evidently, data breach concerns are higher than ever —although more people are aware of breaches and are spending more money on cybersecurity solutions to prevent them. The growing number of highly sophisticated threats and targeted attacks is not only wreaking financial damage but also leaving many organizations wondering whether they're capable of doing enough to protect their data. Compared with last year, more organizations expect to suffer a major breach in the next 12 months, and most feel that breach will stem from an employee's careless actions rather than an outside attacker. Perhaps most troubling, top management seems to be less security-savvy than last year. It's clear that many organizations will run into some major potholes on the Internet highway in the coming year.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.