The threat landscape appears dominated by well-funded and businesslike adversaries using extremely sophisticated, targeted attacks, a new report said.
In addition, organizations are still failing to train employees of the importance of security after they continue to put businesses at risk. On top of that security investments made in the past are not up to the task of protecting against the new classes of attack.
As a result, the report from IBM entitled “2014 Cyber Security Intelligence Index” said organizations may be more vulnerable than they think and are not doing enough in the battle against cyber crime.
Just 23 percent use cloud security protection, 32 percent have access to the latest threat intelligence and 43 percent perform penetration testing or ethical hacking. Overall, researchers found up to 40 percent of organizations are missing critical security protections. This shows organizations are overlooking the IT fundamentals that can enhance their ability to mitigate risk.
In 2013, the number of security events increased by 12 percent over 2012, reaching 91 million events in 2013, the report said. Organizations need to respond by implementing more up-to-date security controls that are more proactive. Security intelligence tools, supplanted by human analysis of the most serious incidents, remains stark. IBM researchers said security intelligence makes it possible to reduce millions of cyber security events suffered in any given year to an average of 16,900 attacks, which amounts to an average of 109 incidents per organization per year.
Of all the incidents analyzed by IBM’s computer security incident response team, 3 percent can end up classified as “noteworthy” because the level of security impact is sufficiently high. The most common impact of such noteworthy events is data disclosure and theft, which can have huge consequences for an organization’s reputation. IBM’s research shows 61 percent of organizations said data theft and cyber crime are the greatest threats to their reputation.
According to research from the Ponemon Institute regarding the economic impact of IT risk and reputation, “substantial events,” which could equate to the definition of noteworthy, account for 75 percent of the total costs resulting from security incidents but for 92 percent of costs related to reputation and brand damage, which are the single largest category of costs at an average of $5.3 million per substantial event.
Human errors are extremely costly: The “Cyber Security Intelligence Index” found 95 percent of all security incidents involve human error, from misconfigurations and poor patch management practices to the use of insecure or default credentials, the loss of equipment or the disclosure of sensitive information through careless mistakes.
Social engineering tactics are increasingly in favor by attackers, highly targeted against specific individuals with the aim of tricking them into providing access to networks and the sensitive data they contain. While there are technology safeguards for problems as a result of human error, IBM researchers said the best strategy is to educate employees on an ongoing basis so they are able to identify and defend themselves against suspicious communications and potential risks to their organizations.
The use of malicious code and sustained probes or scans by outsiders account for 58 percent of incidents seen by organizations. In many cases, malware and probes go hand in hand, with probes used to identify targets before malware ends up unleashed. However, a category of attack that has increased considerably is unauthorized access to systems, accounting for 19 percent of incidents, up 6 percent over the previous year. This is often the third prong of the attack, following probes and the use of malware to gain access to networks and then elevate privileges once an attacker gains a foothold. This is in line with the rise of highly targeted attacks, and they will likely only increase.
No matter how savvy some employees are, there will always be weak links and attacks will be successful. The onus is on organizations to upgrade their ability to continuously monitor their networks for any signs of suspicious or abnormal activity, looking for signs of both unauthorized access as well as suspicious traffic activity.
Click here to download the report’s slideshow.