External cyber attacks cost organizations about $3.5 million a year, but close to 80 percent of IT security leaders said their defensive infrastructure to identify and mitigate threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise, according to findings from a new Ponemon Institute study.
The survey report, Security Beyond the Traditional Perimeter, presents the results of the survey, which was sponsored by BrandProtect, in which 591 IT and IT security practitioners across all industries were polled about their organizations’ ability to analyze and mitigate online incidents and cyber attacks that are beyond the traditional security perimeter. Of the respondents, 65 percent were chief information security officers (CISOs) or IT security operations.
The aim of the study was to examine the threats, costs and responses of companies to external internet cyber attacks, including executive impersonations, social engineering exploits, and branded attacks arising outside a company’s traditional security perimeter.
While 59 percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies, most of the respondents also acknowledged the challenge of monitoring and mitigating these threats. Of the respondents, 62 percent said external threats are more difficult to detect than internal threats within the security parameter and 52 percent said they are more difficult to contain than internal threats within the security parameter.
The survey findings indicate that there is a consensus among the organizations involved in the study that external attacks are frequent and the financial costs are significant. The 505 enterprises and financial institutions surveyed said their companies have experienced an average of 32 material attacks against employees, executives, physical assets, locations and IP or brand/reputation over the past 24 months—that’s an average of more than one cyber attack each month. And these organizations spent an average of almost $3.5 million to deal with the attack. The organizations surveyed reported that an average of 30 percent of these attacks were perpetrated via the Internet or social media.
And while the financial cost of a cyber attack can be high, about half of respondents say they worry most about reputational damage following an external attack. Forty percent of respondents say they are concerned about branded exploits and 33 percent say compliance/regulatory incidents are a concern.
And, the findings also indicate that CISOs and IT security professionals cited an acute need for expertise, technology, and external services to address their growing concerns about these external threats.
As cited above, about three-fourths (79 percent) of respondents described their security processes for internet and social media monitoring as non-existent (38 percent), ad hoc (23 percent) or inconsistently applied throughout the enterprise (18 percent).
In addition, 64 percent of security leaders (directors or higher) feel that they lack the tools and resources they need to monitor, 62 percent lack the tools and resources they need to analyze and understand, and 68 percent lack the tools and resources they need to mitigate external threats.
Insufficient risk awareness is the main barrier to having an effective cyber threat monitoring approach, according to respondents. Eighty-three percent of respondents believe their organizations are not effective in monitoring the Internet and social media. The main barriers to achieving a more effective monitoring approach are insufficient risk awareness (50 percent of respondents), lack of knowledgeable staff (45 percent of respondents) and lack of technologies and tools (43 percent of respondents).
“The majority of security leaders understand that these external internet threats imperil business continuity,” Larry Ponemon, president of the Ponemon Research Institute, said in a prepared statement. “The study highlights a gap in defenses against threats that have proven to be extremely effective for cyber criminals and costly for enterprises.”
“As external threats explode in both frequency and sophistication, forward-leaning security teams are actively prioritizing external threat detection, intelligence and mitigation in their objectives,” Roberto Drassinower, CEO of BrandProtect, said in a statement, also noting that the majority of enterprises “still have a long way to go.” “Despite losing millions of dollars annually to external and branded exploits, security teams are dealing with a significant readiness gap,” Drassinower said.
According to the responses from the survey participants, CIOs’ and CISOs’ responsibility for threats stops at the perimeter. Responsibility for directing efforts to minimize exposure to business risk stemming from threats on the network or at the security perimeter is concentrated in the chief information officer and chief information security officer function (36 percent and 21 percent of respondents, respectively). In contrast, responsibility for external threats is most often given to the lines of business or no one person, the survey findings indicated.
Looking ahead, cyber threat monitoring is forecasted to increase within the next 24 months. According to the report, IT security professionals participating in the survey were asked what security services are implemented for the perimeter, infrastructure and outside the perimeter today and what services will be implemented in the next two years. These services included those in-house and outsourced. Services outside the perimeter are expected to increase both in house and outsourced. The most significant increase is in cyber threat monitoring according to 51 percent of respondents. The outsourcing of social media monitoring is expected to increase significantly. Today 11 percent of respondents say social media monitoring is outsourced and this is expected to increase, according to 39 percent of respondents, the report stated.