igor - Fotolia
More than a quarter of UK CIOs say they are not concerned about security breaches or the time needed to discover them, according to research. But 85% admit they are not proactively hunting for threats, and are dealing with them only when breaches are discovered.
This is despite the fact that 82% of the UK CIOs polled said they are under increasing pressure from the business to prevent, detect and respond to security incidents faster, especially in the financial sector.
The survey, commissioned by security firm Carbon Black, also uncovered a disconnect between CIOs’ expectations of threat discovery and response, and reality.
According to security researchers at the Ponemon Institute, it takes on average 256 days to detect a breach and a further 100-120 days to remediate the threat after an attack, at an average cost of $3.8m.
Yet the UK CIOs surveyed believe it would take an average of just 60 days to uncover a breach. Over a quarter (26%) claimed they would be able to uncover a breach in less than 14 days, 15% in less than 30 days, 18% in less than 90, while 14% believe it would take up to 180 days.
The study revealed that over half (52%) of respondents believe that if they were to suffer a breach today, they would be 100% confident in knowing what systems and data had been affected and how within 24 hours, compared with 59% of CIOs at large companies.
“These results are shocking and unbelievable because none of those polled believe they can be breached without them knowing about it and this should make everyone angry because these CIOs are not living in reality,” said Ben Johnson, chief security strategist for Carbon Black.
“When you look at these results, something really doesn’t add up. On the one hand, companies are operating from a reactive security posture and tending to symptoms, rather than causes. Yet they still believe they can detect threats much faster than the industry average, even though they are not actively seeking them out,” he said.
In reality, said Johnson, hackers today are determined, sophisticated, and well-funded. “Sitting and waiting for them to make a mistake and expose themselves is not an effective strategy, especially as many security teams are flying blind because they are unable to prioritise threats because of the huge volumes of alerts they receive.
“Companies need to automate processes where possible to free up security teams' time to hunt threats and disrupt hackers during an attack, rather than just picking up the pieces in the aftermath,” he said.
A new range of attacks
The survey also looked at the ways in which security teams are using technology to be alerted to threats and found that many of the tools that businesses are relying on are not equipped to deal with the new range of attacks facing organisations.
While firewalls (94%) and antivirus (AV) (90%) are almost ubiquitous, and two-thirds of companies are using encryption (64%) or intrusion detection systems (IDS) (62%), less than half of organisations (44%) have advanced endpoint protection in place.
“Even though most have AV, these systems are typically catching only 30% of threats, and while 64% are using encryption and 44% have endpoint protection in place, this is still way too low, especially considering the endpoint is highly targeted as the vulnerable new perimeter,” said Johnson.
“In many ways, the security war is being waged at the endpoint, but relatively few companies are investing in protecting endpoints, especially iPhones and Android phones,” he said.
Read more about continuous security monitoring
In addition, most businesses are hampered by the fact they are only aware of attacks in their immediate environment, with no perspective of what is happening in the broader market. As a result, 89% of CIOs think that security vendors need to collaborate more to provide contextual information about the threats they face.
“Digital businesses are more open and accessible than ever before, as we are all constantly connected to the internet. As such, our security perimeter is no longer the network, but the endpoints we use to connect – which are multiplying in number and range every day," said Johnson.
“However, while the nature of the threats we face is changing, our approach to security is yet to catch up. AV cannot protect the endpoint against zero-day attacks, IDS will not prevent a malicious file from executing on a laptop. Not only are CIOs not using the right tools, but they also have no visibility outside their own environment – they’re not asking themselves, has anyone else had this problem? If so, how did they resolve it?”
According to Johnson, the next generation of security needs to use the collective intelligence of thousands of users, share knowledge and patterns of attack behaviours across a community.
“We all have the same goal, to hit back against the bad guys, so we need to unite to do this more effectively,” he said.
“It seems that in many cases, the CIOs are simply not aware of what is really going on, and while none of those polled thought they had been compromised, they probably all had been compromised and either their organisations did not know or the CIOs had not been told.”
Part of the problem, he said, is a lack of qualified cyber security staff, citing as an example one company that has 300 open security analyst positions, saying the firm would consider itself lucky if it manages to fill three of those positions in 2016.