Two-thirds of companies would pay an average of $124K to avoid public shaming after a breach, says a new survey from Bitdefender.
Two-thirds of companies would pay an average of $124K to avoid public shaming after a breach, says a new survey from Bitdefender.

A third of companies in the U.S. were breached in 2016, according to a study from Bitdefender issued on Tuesday.

And nearly three-quarters of those targeted are unaware of how the incident occurred, the survey found.

The statistics are a warning for CEOs and board members who "face increasing internal and external security risks that could ruin customer trust and business forecasts," the study stated.

While the good news for security professionals is that the increasing threat landscape has motivated executives to regard CIOs as top C-level managers – joining COOs and CFOs in business decisions – indications are that not all C-suites include CIOs/CISOs in the business decision-making process. 

The study, "Virtualization makes CIOs role key," [PDF] was conducted in October 2016 with 250 IT decision-makers at companies with more than 1,000 PCs.

Some key findings from Bitdefender's study:

A third of CIOs say their job is more important in the company's hierarchy. Another third even agree their job has been completely transformed in recent years.

Nine in 10 IT decision-makers perceive IT security as a top priority for their companies. However, only two-thirds agree their IT security budget is sufficient. 

Cloud security spending increased for 48 percent of the companies in the past year, while the IT security budget for other security activities remained the same.

Only 64 percent of cyberattacks can be stopped, detected or prevented with the current resources. 

"IT decision-makers need to head off unforeseen security risks that emerged in 2016 by adopting breakthrough technologies able to fight zero-day exploits, advanced persistent threats, and other devastating types of cybercrime," the survey said. As well, virtualization and the growing adoption of hybrid environments have significantly increased the attack surface, causing more headaches when securing both physical and virtual infrastructures.

For example, two-thirds of companies would pay an average of $124,000 to avoid public shaming after a breach, while 14 percent would pay more than $500,000, the survey found. 

While the vast majority of those polled agree that IT security is a top priority for their enterprises, one-third believe their IT security budget is adequate. Digging deeper, nearly half of companies surveyed saw spending on their cloud security implementations increase last year, but budgets for other security activities remained flat, the survey revealed. Many of those polled said they'd welcome an increase, 34 percent on average, for their security to deliver efficient IT security policies.

"This is mainly because migrating information from traditional data centers to a cloud infrastructure has significantly increased companies' attackable surface, giving rise to new threats and more worries for CIO offices regarding the safety of their data," the survey found. "IT decision-makers say only 64 percent of cyberattacks can be stopped, detected or prevented with the current resources, on average."

When asked how IT staff can influence their colleagues in the boardroom, Liviu Arsene, senior eThreat analyst at Bitdefender, told SC Media on Tuesday that IT staff can influence boardroom members by presenting fact and figures addressing the strategic value of proposed security technologies and solutions, as well as the underlining lower operational and financial costs associated with them.

"Constant security reports regarding the company's current security readiness status and the impact a potential data breach might have on reputation and financial loss are also strong tools that IT decision-makers can use to raise awareness on the importance of a company's security," Arsene said. Meanwhile, the technical gap between board members and IT decision-makers can be addressed by constantly outlining risk and balancing it against data-driven financial assessments that conclude with improved operational costs, he told SC.

As the study found, some of the largest threats companies are facing involve advanced targeted threats and APTs, that are specifically aimed at a single target and usually take months to detect, Arsene told SC. "By the time IT security teams find the data breach, attackers might have already exfiltrated vital company information, customer data, and even intellectual property."

In light of this, he said, organizations need to constantly reassess their security, implement strong policies and accurately identify and secure critical data. "The number of companies that have been affected by these threats has greatly increased in the past couple of years, with more high profile targets showing up in the media.

And what about the migration to the cloud? When queried about the security of cloud implementations, Arsene told SC that cloud implementations are inherently designed to offer availability and performance. "Securing those cloud infrastructures becomes troublesome, but not impossible, when both private and public cloud infrastructures are deployed across the same organization. With virtualization playing a vital role in these hybrid infrastructures, security technologies have adapted to go beyond the physical endpoint, but also virtual environments."

The security of cloud implementations, he added, depends on how data is handled both in transit and at-rest, how access policies are configured, how security software is deployed across the infrastructure, and whether security technologies for virtual environments are able to remain isolated from the guest OS while at the same time offering visibility into any actions performed by a malicious application.

"Hypervisor introspection technology is one such technology that can enforce VM security from the hypervisor layer, by analyzing a guest VM's raw memory and looking for attack techniques instead of actual malware payloads," Arsene told SC.

To that end, advanced threats and APTs that try to gain persistency by elevating privileges will be detected before compromising the machine, he said. "It's safe to conclude that cloud implementations can be secured when a layered security defense is set in place and critical data is safeguarded, backed up, and constantly assessed."