In the past 12 months, one in three targeted attacks resulted in an actual security breach, resulting in roughly two to three effective attacks per month at the average company.
According to new research from Accenture, 75 percent of security executives are confident in their ability to protect their enterprises from cyber-attacks. The survey collected responses from 2,000 enterprise security practitioners representing companies with annual revenues of $1 billion (£811.5 million) from more from 15 countries.
More than half of executives (51 percent) said that it takes months to detect sophisticated breaches, and as many as a third of all successful breaches are not discovered at all by the security team.
Respondents say internal breaches have the greatest impact, however 58 percent prioritise heightened capabilities in perimeter-based controls instead of pivoting to address high-impact internal threats.
Overall, it takes longer to spot a breach in the UK and the US than in other countries with over a quarter of organisations (26 percent in the UK and 30 percent in the US) taking a year or more to detect a successful attack.
“It's just the tip of the iceberg. The most advanced intrusions are rarely detected, and many large companies are not even aware that they were breached. Professional Black Hats have absolutely no interest in their victim becoming aware of the breach, and do their best to stay invisible by thoroughly planning every operation and deploying various smoke-screens to distract attention of security teams,” Ilia Kolochenko, CEO of High-Tech Bridge told SCMagazineUK.com in emailed commentary.
“Especially large companies have a major challenge when detecting intrusions, as cyber-criminals usually target their branch offices, partners, suppliers or even shareholders that don't have such a high level of defence, but have access to the same data. I think it wouldn't be exaggerated to say that over 90 percent of well-prepared targeted attacks, conducted by experienced hackers, are and will be successful.”
Organisations in France, Australia and the US are the least confident in their ability to monitor for a breach compared to the global average. Organisations in Germany (52 percent) and the UK (50 percent) are the most confident in monitoring for breaches compared to the global average (38 percent).
Given extra budget, 44 to 54 percent of respondents would “double down” on their current cyber-security spending priorities, even though those investments have not significantly deterred regular breaches. These priorities include protecting the company's reputation (54 percent), safeguarding company information (47 percent) and protecting customer data (44 percent).
Fewer companies would invest extra funds in efforts that would directly affect their bottom line, such as mitigating against financial losses (28 percent) or investing in cyber-security training (17 percent).
Compared to the global average of 8.2 percent, organisations in France spend the most (9.4 percent) of their total IT budget on cyber-security. Meanwhile, organisations in Australia and the US spend the lowest amount on cyber-security of their total IT budget (eight percent in the US and 7.6 percent in Australia).
“There needs to be a fundamentally different approach to security protection starting with identifying and prioritising key company assets across the entire value chain.”