In a new study of 250 UK IT decision makers working at a company with more than 250 employees, Bit9 + Carbon Black found that 64 percent of respondents expect their organisation to be targeted by a cyber-attack within the next 12 months, with a third (32 percent) confirming that they had been hit by attacks the year before.
However, while these findings are unlikely to come as a huge surprise given the frequency of data breaches across the globe, what was arguably more concerning was the finding that almost half (49 percent) of those surveyed did not know if they had been compromised, and that 61 percent rated their ability to detect suspicious behaviour on the network as ‘no better than average'.
F-Secure technical consultant Bunmi Sowande told SCMagazineUK.com that a poor visibility of threats would likely see the same company be hit by multiple attacks from the same group.
“If the original hack went undiscovered, then [it's] very likely,” said Sowande, speaking on the possibility of companies being attacked multiple times. “Hackers tend to leave some backdoors installed so they can come back if the data extracted the first time turned out to be very valuable.”
This security ‘blindness' is especially bad when it comes to organisations' point-of-sale (POS) systems with 70 percent of respondents admitting that they had no way of knowing if their systems had been targeted. Only 20 percent could say with confidence that their POS devices had not been targeted, while 52 percent of POS users were confident or very confident that their current security solution was capable defending from an advanced or targeted attack.
“Visibility is critical for effective security, yet these results show that far too many organisations don't know what's happening on their endpoints”, said Bit9 + Carbon Black chief evangelist Ben Johnson, in a statement.
“You can't stop advanced threats and targeted attacks if you can't see what's happening. Prevention, detection and response are built on the ability to see all activity on every endpoint and server”.
Study respondents cited hactivists (86 percent) and cyber-criminals (77 percent) as the most likely attackers, followed by disgruntled employees (61 percent), and said that they were most worried about system downtime (77 percent), data loss (68 percent) and reputational damage (52 percent). Just 50 percent believed that an incident would impact the business financially.
On learning these findings, Amar Singh, chair of the Security Advisory Group of industry body ISACA UK and an interim CISO, said that he was ‘quite surprised' that the headline figure was so low and put this down to a realisation that cyber-crime affects everyone within an organisation.
“The realisation [on cyber-crime] is setting in and the government has made good progress with initiatives like 10 steps [to Cyber Security] and Cyber Essentials. But I think there's a bit of uncertainly on how to protect yourself,” he told SC.
Singh continued that protection continues to be the focus rather than the ‘ability to respond' and criticised board members and senior management for not ‘up skilling staff' - and for not even understanding what an incident is themselves.
“If I may say this, C-level executives are not even properly equipped to deal with an incident – and that's not even a breach. They're not able to understand what an incident is.”
Sowande, though, pointed to IT problems and said that some companies struggle to keep on top of their data logs, citing one example where an unnamed company found a hacker by chance.
“The problem isn't that people can't keep up with the logs, the problem is that it is sometimes difficult to analyse logs to discover that an attack has taken place,” said Sowande.
“One of our customers discovered a pretty extensive attack had occurred on its site by luck. They were going through the logs and spotted something but dismissed it. One of their analysts decided to stick with it until he proved that something was happening. Also, hackers have been known to delete logs to remove traces of their activity.”
Mark Brown, the executive director for cyber security and resilience at consultancy EY, agreed with Singh that cyber-attacks are now a question of ‘when not if' and said that smart companies would reap operational and financial benefits.
“The key for all companies now is how quickly they can identify a cyber-breach and respond to ensure the business is resilient to the impacts of the breach,” Brown told SC via email.
"Organisations that address both the risks and the opportunities arising from the technology revolution have the chance to grasp a competitive advantage. If they do this successfully they can gain operational and financial performance benefits, as well as retaining customer loyalty as brand reputation can now be inextricably linked to commercial success."