The number of successful cyber attacks against organizations is increasing, according to the “2015 Cyberthreat Defense Report” from CyberEdge Group, which surveyed 814 IT security decision makers and practitioners from organizations – in 19 industries – across North America and Europe.
Altogether, 71 percent of respondents said that their organization's global network was compromised by a successful cyber attack in 2014 – a number that jumped up from 62 percent in the year prior – and 22 percent said that their organization experienced six or more successful attacks, according to the report.
Not patching vulnerabilities is one reason successful attacks are on the rise, Steve Piper, CEO of CyberEdge Group, told SCMagazine.com in a Thursday email correspondence. He pointed to the report, which shows that 33 percent of organizations conduct full-network active vulnerability scans less often than quarterly, while 39 percent do so at least once per month.
Another reason for the rise is that attackers are refining their tactics – for example, they perform reconnaissance to carry out targeted spear phishing attacks involving malware, Piper said. In the report, respondents cited phishing attacks, malware and zero-day attacks as the top threats that are causing concern.
The issue is compounded because not enough investment is going into employee security awareness training, Piper said. “Our workforce is our last line of defense,” he said. “If employees are better trained to recognize the telltale signs of spear phishing attacks, our industry would experience far fewer successful data breaches.”
In the report, respondents indicated that low security awareness among employees is the top inhibitor to defending against threats – furthermore, less than 20 percent said they were confident their organization has made the proper investments in training.
Mobile presents another problem for organizations. For the second year in a row, respondents cited mobile devices – such as smartphones and tablets – as the weakest IT security link, meaning mobile is the area where organizations have the hardest time defending against threats.
“Our research indicates that mobile device management (MDM) and mobile application management (MAM) are the most commonly cited mobile security technologies planned for acquisition in 2015,” Piper said. “These technologies are designed to significantly improve an organization's mobile security posture.”
On the spending front, 70 percent of respondents said their organization is allocating more than five percent of their IT budget to information security, and 62 percent indicated that they expect their IT security budget to rise in 2015, according to the report. Piper indicated that there is no “magic number” for IT security spending, and that organizations will have to allocate funds based on how they value their data.
Some other arbitrary findings in the report: nearly a third of respondents do not feel they have the tools necessary to adequately inspect SSL-encrypted traffic for threats, 23 percent are confident their organization made sufficient investments to monitor privileged user activity, nearly two-thirds view software-defined networking (SDN) as having a positive impact on defending against threats, and 68 percent cited network access control (NAC) as being most regularly used to reduce the network's attack surface.