'Complacency' to blame for undetected data breaches

A new study from IT governance reveals that a half of IT staff believe that their company may have suffered a data breach without it being detected.

'Complacency' to blame for undetected data breaches
'Complacency' to blame for undetected data breaches

In its annual Boardroom Cyber Watch 2014 study, global cyber security provider and CREST member IT Governance surveyed 240 senior IT decision makers and found that many companies are blind to data breaches, are ‘complacent' in their defensive measures and have little to no contact on these matters with board members.

The study revealed that 36 percent of respondents believe that their company has suffered from an undetected cyber-attack in the last year, with another 20 percent saying that they didn't know. The combined figure of 56 percent admitted that it's possible that their firm has suffered a data breach without it being detected.

These statistics back-up recent reports from Mandiant (M-Trends Report 2014) and Trustwave (Global Security Report) that attackers spend a huge amount of time unseen in a victim's network, with this figure as high as seven months.

“For breaches to go undetected for months is a very dangerous matter,” said IT Governance founder Alan Calder. “In the worst of scenarios it may mean the end for an organisation. In June, we saw Code Spaces forced out of business due to a targeted cyber-attack, while more than 190 customers of a European bank have been robbed by cyber thieves who operated in a very sophisticated manner and deleted all evidence leading to them.”

However, underpinning the growing threats from cyber-criminals is a surprising confidence from IT in their defensive measures - 73 percent of respondents believe that their current information security defences are effective at warding off cyber-attacks.
 
“The high level of complacency, compared to the high level of uncertainty over whether or not an organisation has been breached, shows that in many cases, the organisations' belief that they are secure against attack is likely to be unfounded,” said Calder, who urged companies to carry out pen testing on networks and web apps to identify any security vulnerabilities.

Speaking to SCMagazineUK.com after the release of the report, IOActive futurologist David Lacey said that these findings were not surprising.

“Organisations have always been poor at detecting incidents. Most CISOs don't even know what's happening within their own enterprises, never mind what an outsider might be doing,” said Lacey.

“You need effective intelligence networks and top notch security monitoring software. Years ago we only had human networks, so you had to network with people in the know such as law enforcement agencies, as well as your own auditors, lawyers and company secretary.

“Then we implemented incident reporting systems which opened up a whole new horizon on events. Today, we require specialist monitoring and integrity checking software to detect advanced persistent threats. Unfortunately we can't guarantee to spot new APTs right away because they're designed to evade today's security systems. The so-called “dwell time” of an APT is the new metric. Smart companies have got this down from years to weeks. But ideally it need to be days or even minutes to contain the damage.”

Still a disconnect between IT and boardroom

Meanwhile, the study also found – contrary to KPMG's study last week – that there is a significant disconnect between the IT and boardroom.

Approximately 32.5 percent of respondents said that their board receives no regular reports on cyber security, while there is concern too on the quality of reports going to the board; 21 percent of respondents believe their companies' board reports fail to provide the necessary information for them to make decision, with 28 percent unsure if any information is provided at all.

More worrying still is that a third of respondents (29 percent) believe that fear of retribution might stop IT department from fully disclosing details of cyber breaches to top management. Another 30 percent believe their board lack the knowledge and qualifications to exercise effective cyber governance.

As a result, 51 percent of those surveyed believe that there is a now an inevitability of attacks being successful and are moving to cyber resilience as an objective to minimise successful attacks and quickly recover when breaches do occur.

Ed Wallace, director of incident response and advanced threats at MWR InfoSecurity, told SCMagazineUK.com that few companies are aware that they've ever been breached, saying “exfiltration of data can go on for years undetected”, but said that all is not lost.

“Our normal recommended approach when dealing with companies that are concerned is to carry out several pieces of work – a business impact assessment (ie how much should the organisation be concerned about advanced breaches); a compromise assessment (ie have you actually been breached and what's in your network – bearing in mind that none of the normal IT security tools will have been effective); and a simulated attack project to demonstrate just how secure an organisation is,” said Wallace. 

“We couple these steps with practical business-focused threat intelligence – why are you a target and what are the consequences - is a key step in understanding the risks an organisation focuses if it wishes to keep any competitive advantage against international competition. 

“These steps then typically lead to a full cyber defence project to help clients move out of the “victim zone” and to improve their ability to detect, deter and defend against future attacks.”

Update: Guy Bunker, SVP of product at Clearswift, told SC that the cyber battle is increasingly a 'war' and urged CIOs and CISOs to understand where their data is all of the time.

"It is a company's responsibility to secure and protect its information, after all this is today's organisational lifeblood," he said via email.

"There is an increased need to understand where critical information is 100 percent of the time, who has access and how. Without this it becomes impossible to protect, and where delays occur in the acknowledgements of attacks, the true extent of the data loss is even harder to verify."