Even worse, the survey of 583 U.S. IT and IT security practitioners found that a majority of organizations have experienced multiple successful attacks against their networks.
Fifty-nine percent of respondents said their networks have been compromised at least two times in the past year. Just 10 percent said they have had no breaches.
Seventy-eight percent of those surveyed said there has been an increase in the frequency of attacks in the past year. Moreover, most respondents said attacks have become more severe and difficult to detect and contain.
“We are seeing an uptick in hacking for profit and hacking for activism,” Johnnie Konstantas, director of marketing of cloud security at Juniper Networks, told SCMagazineUS.com on Wednesday.
Breaches most often occurred at off-site locations housing mobile workers, partners or other third-parties, the survey found. While respondents mostly were sure of where the data loss occurred, 40 percent could not pinpoint the actual source of the attacks that led to the breaches.
“These threats are complex," Konstantas said. "Often times there might be multiple sources of the attack. Some attacks aim to find one hole, burrow in and use that as a launch pad to get where the real data is.”
When they were able to determine a source, respondents found that attacks most often came from external agents. But insider abuse also is rampant, the survey found.
Fifty-two percent of breaches were caused by insiders, while 48 percent were the result of a malicious software download, 43 percent came from malware on a website and 29 percent from malware on social media. System glitches were responsible for 19 percent of breaches, while malware from text messages caused three percent.
Respondents were allowed to check multiple vectors.
Looking forward, more than a third of respondents are not confident their organization's IT infrastructure can avert future breaches, according to the survey.
Insufficient budgets are a challenge for many organizations, according to the survey. A majority of respondents said 10 percent or less or their IT budget is dedicated to security.
Beside their lack of resources, respondents said the complexity of improving network security and lack of employee awareness posed major challenges.
“A new approach, a more pervasive approach to cybersecurity is needed,” Konstantas, said. “One that goes beyond the perimeter and addresses all the network devices, systems and applications that are within.”
If possible, organizations should architect their networks with security in mind from inception, she said. Those with already mature networks should assess whether security is pervasive throughout.
