A global study of more than 3,000 organisations has found that, while the number and frequency of cyberattacks is falling, successful attacks inflict a high financial cost on victims. Data suggests organisations need to rethink security to meet newer, more targeted threats.
[T]he techniques we have relied on for many years no longer apply to current threats. I’d say we are lagging behind the malware writers at the moment.
Paul Davis, director of operations, FireEye
The Symantec 2011 State of Security Survey found that 71% of organisations suffered attacks in the 12 months prior to May 2011, down from 75% in the previous year, which Symantec interprets as a sign that increased security measures may be helping to ward off attackers. But, the damage inflicted by successful attacks is hitting companies hard, with small-to-medium sized businesses losing an average of $100,000, and larger organisations suffering as much as $271,000 in losses with each incident.
The majority of these losses took the form of lost productivity through downtime, while other factors included theft of confidential information, reduced stock price and the cost of legal and regulatory measures arising from a breach.
According to Greg Day, security CTO for Symantec EMEA, the report carries a mixture of good and bad news.
“We’ve had at least a decade of cybercrime, and we have gotten better at defending against volume attacks. But now we are seeing more targeted and more persistent threats,” Day said. “Social networking has become the reconnaissance tool of the hacking world, and social engineering has become the method of breach because the user is so often the weak point.”
Day said that, while breaches will happen, it's essential to limit the scope of the damage. “We need to start thinking more about bi-directional security,” he said. “We need to ensure that, if hackers get in, our important information cannot be taken out of the business.”
The report showed that companies are now most concerned about new threats posed by mobile devices, social networking and the consumerisation of IT, when devices are used for both personal and work purposes. This means IT has more endpoints to secure, in addition to defending the corporate network.
When asked, 49% of respondents cited hackers as the biggest danger, followed by well-meaning insiders (46%) and targeted attacks (45%).
Day said companies need to adapt their defences to reflect the changing threat landscape, and focus more on stopping the theft of confidential information. “Up to now we have been used to quite blunt security tools. You set up AV or a firewall, then you watch to see what’s going on,” he said. “But now data is dynamic and doubling in size every year. The volume of people creating, using and copying data is huge.”
With so many people having access to different types of information, it is a complex task to control how that information is handled and used. Day said there needs to be much closer collaboration between security teams and the business.
He added that people from the business side need to decide which information is important and to help set policy controls for data access.“Security people with their technical background don’t have the ability to apply those controls. We are entering new territory where business and security have to work more closely together,” Day said. “You can’t apply information-based control without having some background in information.”
A similarly themed report (.pdf) from security vendor FireEye corroborates the need for a radical rethink of enterprise information security. The company analysed Internet traffic in real time for several hundred large organisations -- mostly its existing customers -- and found a high level of incoming malware that managed to bypass conventional security defences.
The report's findings are startling: 99% of organisations suffered at least one malicious infection in their networks each week, and 80% suffered more than 100 infections per week. It concludes that traditional defences that rely on signatures, reputations services and “crude heuristics” are ill-suited to detect more targeted and persistent multi-stage attacks.
The study looked at organisations in a variety of sectors, including financial services, healthcare and government, all of which showed high levels of infection despite having traditional security defences, such as antivirus, intrusion prevention and firewalls in place. “Based on this data, we see that today’s cybercriminals are nearly 100% effective at breaking through traditional security defenses in every organisation and industry, from security-savvy to security laggards,” the report concludes.
One reason for this is the criminals have developed a dynamic and quickly changing approach to creating and distributing malware. FireEye said, in the second quarter of 2011, it found that 90% of malicious binaries and malicious domains (URLs hosting malware) changed almost immediately upon being detected, and 94% changed within a day. This rapid changing, it said, is designed to stay ahead of the daily updates of Internet reputation blacklists, thereby allowing the malware to go undetected. The research also uncovered the growing use of malware designed to steal confidential information and intellectual property.
“This shows that things have moved on, and the techniques we have relied on for many years no longer apply to current threats,” said Paul Davis, FireEye’s director of operations. “I’d say we are lagging behind the malware writers at the moment, the threats are accelerating at such a rate.”