Many (82 percent) organisations feel the IT security industry is making advances in the fight against cyber-attacks, however gains are undercut due to failure to enforce best practices in critical areas. Seventeen percent of respondents in a recent survey believe that the industry is falling further behind.
CyberArk's 10th annual Global Advanced Threat Landscape Survey 2016 studies whether global enterprises are learning and applying lessons from high-profile cyber-attacks as well as how security priorities and decision-making are being influenced.
The report collected responses from 750 IT and IT security decision makers from public and private enterprise organisations representing the UK, France, Germany, the US, Israel, Australia, New Zealand and Singapore.
High-profile cyber-attacks have driven significant increases in cyber-security awareness and spending. However, the failure to turn the growing awareness into the enforcement of security best practices undermines progress for organisations' efforts in cyber-security.
Seventy-nine percent of respondents said that their organisations have learned lessons from major cyber-attacks and have taken the proper action to improve security. Top actions taken due to this awareness are increased deployment of malware detection (25 percent), endpoint security (24 percent) and security analytics (16 percent).
As threats against critical infrastructure become a reality, a majority (58 percent) feel an attack on financial systems, including disruption of global stock markets, present the most immediate threat in general.
In emailed commentary to SCMagazineUK.com, Matt Middleton-Leal, regional director, UK and Northern Europe at CyberArk said, “Well publicised cyber-attacks certainly appear to have influenced the concerns voiced in our survey. For instance, attacks on financial systems, including the disruption of global markets, was the most potentially catastrophic threat perceived by our respondents, which was likely to have been influenced by the recent spate of attacks that have been linked to the SWIFT messaging network. Concerns surrounding the security of government and other vital public services, including healthcare organisations, are also understandably rife, following a number of well-documented breaches.”
Fifty-five percent state that they have evolved processes for managing privileged accounts. Despite this, 40 percent of organisations still store privileged and administrative passwords in a Word document or spreadsheet. Meanwhile, 28 percent use a shared server or USB. Only seven prevent have implemented their privileged account security, their number one priority for greater security awareness.
Nearly half of organisations (49 percent) allow third-party vendors remote access to their internal networks. While most respondents secure and monitor that access, the public sector had the least third-party vendor access controls in place compared to other industries, with 21 percent not securing and 33 percent not monitoring.
Many organisations have adopted a “post-breach” mindset, operating under the presumption of a breach and having developed post-breach response plans, but concerns emerge about the risks of overconfidence or complacency along with the ability to sufficiently protect valuable assets from cyber-attacks.
Three-quarters (75 percent) of ITDMs believe their organisation can prevent attackers from breaking into their internal network. Over a third (36 percent) believe a cyber-attacker is currently on their network or has breached their organisation's network in the past 12 months. Nearly half (46 percent) believe their organisation has been a victim of a ransomware attack in the past two years.
More than two-thirds (68 percent) of organisations state losing customer-data as one of their biggest concerns following a cyber-attack. They also expressed concerns of losing financial information (52 percent), customer trust (35 percent), reputation (33 percent) and the ability to operate (32 percent) after a cyber-attack. Other sensitive data stored in the cloud includes employee information (47 percent), corporate IP (42 percent), personally identifiable information or PII (39 percent), network or admin passwords (29 percent) and personal passwords (27 percent).
More than half (57 percent) of those who store information in the cloud are not completely confident in their cloud provider's ability to protect their data and 46 percent aren't completely aware of what their organisation's cloud services provider is doing to protect their data.
When responding to a breach, an organisation's top three priorities were most likely to include stopping the breach/removing the attackers (69 percent), detecting the source of the breach (53 percent) and updating IT security to prevent the same breach from occurring again (44 percent).
Most respondents (95 percent) report that their organisation has a cyber-security emergency response plan. But less than half (45 percent) said it has been communicated and is regularly tested with all IT staff, while 40 percent state that their organisation's plan as only been communicated and regularly tested with senior IT staff.
With the constantly shifting threat landscape, respondents prioritise the types of cyber-attacks or tactics that are most concerning for their organisation in the next year. They include distributed denial of service (DDoS) attacks (19 percent), phishing (14 percent), ransomware (13 percent), privileged account exploitation (12 percent) and perimeter breaches (12 percent).
“As for attack methods, the top cause of concern among our survey respondents was DDoS attacks; this is unsurprising due to the amount of publicity this tactic has received in recent months and given the level of disruption endured by businesses that have been forced offline. The fact that perimeter security also featured in the top five is perhaps more concerning. Frankly, focusing on the perimeter alone is an outdated security measure; today's attackers can infiltrate an organisation's network with relative ease. It is therefore far more important to employ an inside-out approach, ensuring that all sensitive assets are locked down and that privileged access is monitored in real-time, giving an organisation the opportunity to intervene and terminate a potentially suspicious session before damage can be done,” Middleton-Leal said.
The threat of legal action and fines influence the level of executive/board involvement in security-related decisions according to 70 percent of global respondents. Meanwhile, 22 percent of respondents did not incorporate compliance fines or legal fees (19 percent) into the cost of a breach.
“The findings of this year's Global Advanced Threat Landscape Survey demonstrate that cyber-security awareness doesn't always equate to being secure. Organisations undermine their own efforts by failing to enforce well-known, security best practices around potential vulnerabilities associated with privileged accounts, third-party vendor access and data stored in the cloud. There's a fine line between preparedness and overconfidence. The majority of cyber-attacks are a result of poor security hygiene – organisations can't lose sight of the broader security picture whilst trying to secure against the threat du jour,” said John Worrall, CMO, CyberArk.