Nearly two-thirds of respondents lack confidence in their organisations’ ability to prevent serious damage from a cyber attack, a report reveals.
The report by the Ponemon Institute and cyber security firm Illusive Networks explores how effectively organisations are able to minimise damage caused by persistent attackers who operate silently within their networks.
The low level of confidence revealed means most organisations are unable to defend effectively against attacks that follow an initial breach of their defences.
The findings are based on responses from IT and security professionals in the US, who were asked to rate their capabilities to pre-empt, detect and respond to resident attackers. The report further shows that only 28% of respondents rate themselves at seven or higher on a scale of one to 10 on their ability to discover improperly stored user credentials.
Only about 40% of organisations rate themselves at seven or higher in their abilities to detect this type of attack, while only 25% feel as confident in their ability to respond effectively once resident attackers are identified.
As security budgets continue to increase, the report found that the portion allocated to threat detection will grow from 32% to 40%, while allocation for preventive security controls will decline significantly from 31% to 18%.
“Because preventive controls can’t keep all attackers out, cyber programs need to anticipate attackers – both insider threats and external actors – who achieve and maintain an internal presence,” said Ofer Israeli, founder and CEO of Illusive Networks. “To reach sensitive data and critical systems, these attackers use valid credentials and connections that the business itself creates, making them very difficult to detect.”
Organisations at risk
The report findings suggest, said Israeli, that organisations of all sizes are at risk and must drive improvements in their capabilities.
Stopping resident attackers before serious damage occurs, the report said, requires the ability to prioritise activity based on level of importance to the business.
However, the study found many indicators of serious risk alignment gaps, including the fact business leaders do not clearly communicate business risk priorities, that security teams lack risk-informed visibility on how incidents can impact the enterprise, that security leaders are not included often enough in the planning of new technology and business initiatives, and that security technologies in most organisations are not optimised to reduce top business risk.
On the operational level, the report said an inability to prioritise incidents based on potential impact is cited as the second most significant obstacle to better incident response.
The study found, for example, that only 37% of respondents agree that when a particular system is compromised, they can tell what critical services may be impacted.
The study also shows that only one-third of respondents rate highly their knowledge of where critical data is stored, and most companies lack clear criteria for when to escalate a security incident to business leaders.
“While other cyber security research has touched on aspects of this study, this is the first time we have taken an in-depth look at these risk alignment issues,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
“The data suggests the gap between business leadership and security functions has a direct operational impact, and we hope this report helps stimulate new dialogue that helps organisations improve.”