Survey says: Many breaches accomplished in less than an hour
Survey says: Many breaches accomplished in less than an hour

Penetration testers and hackers are having little problem breaching the perimeter and quickly locating critical data with 12 percent saying they can get into a system in less than an hour and despite learning their company is vulnerable some firms still opt to do nothing to improve security.

A new survey by the research firm Nuix of 112 independent researchers and security executives found the food, hospitality and manufacturing sectors are the easiest to breach when tested with 17 percent of those surveyed said they are inside these networks in less than an hour and within another 60 minutes about 35 percent of the respondents said they had located critical, high-value data. Once these two steps have been accomplished, regardless of the time needed, 30 to 50 percent said it took just another hour to exfiltrate the desired data.

Some of the better-performing sectors, the survey found, are aviation, law enforcement and law firms and state an municipal governments also tested well with less than 8 percent of the researchers saying they could breach these perimeters in less than an hour. 

On the downside, those organizations once breached, gave up their data very fast with about 25 percent of those surveyed saying the critical information was found within an hour.

Once the pen test reveals exactly how vulnerable a company is, Nuix asked the respondents what were the most common protective measures undertaken by the target company. Fifty-three percent some remediation focused primarily on the firm's high-value data. Only 7 percent initiated a full remediation program and then retested, while another 5 percent did an extensive remediation of just the identified issues.

Shockingly 18 percent talked about taking steps but did nothing and 6 percent simply did nothing at all, the report said.

Fifty-seven percent of the testers and hackers surveyed did note that those companies that are in compliance with PCI, NIST and ISO 27001 are better protected, calling all three defensive measures effective.

“Considering how much money, time and energy organizations in heavily regulated industries spend complying with these frameworks. I'm sure they would like to see the 'yes' number higher,” the report said.

However, only 47 percent believe cybersecurity measures pushed through by the government will lead to meaningful change.

One reason the report cited for this bit of negative was the fact that the United States has a great deal of ineffective cybersecurity legislation and that may have skewed the number downward.