The average organization faces more than 100 focused and targeted cybersecurity attacks each year, and respondents to a recent survey say one in three of these attacks will result in a successful security breach. That’s two to three effective cyberattacks per month. Despite that admission, 75 percent of the security executives responding to the survey said they are confident in their ability to protect their organization.
Accenture surveyed 2,000 enterprise security practitioners representing companies with annual revenues of $1 billion or more in 15 countries about their perceptions of cyber risks, the effectiveness of current cybersecurity efforts and the adequacy of existing investments. A resulting report, “Building Confidence: Facing the Cybersecurity Conundrum,” notes that, according to the survey’s respondents, the length of time taken to detect security breaches often compounds the problem. Surprisingly, more than half of the executives (51 percent) said it takes months to detect sophisticated breaches—and as many as a third of the successful breaches aren’t discovered at all by the security team.
“Cyberattacks are a constant operational reality across every industry today, and our survey reveals that catching criminal behavior requires more than the best practices and perspectives of the past,” says Kevin Richards, managing director, Accenture Security, North America. “There needs to be a fundamentally different approach to security protection, starting with identifying and prioritizing key company assets across the entire value chain. It’s also clear that the need for organizations to take a comprehensive end-to-end approach to digital security—one that integrates cyber defense deeply into the enterprise—has never been greater.”
Interestingly, even though more than half of the survey’s respondents said internal security breaches cause the most damage, two-thirds of the survey respondents said they lack confidence in their organization’s ability to monitor internal threats. What’s more, most respondents said it takes “months” to detect successful breaches, and 17 percent said the attacks were only discovered “within a year” or longer. Furthermore, 98 percent of the security breaches were reported by employees outside the security team.
High-profile cyberattacks—such as data breaches of Sony Corp., Target, Home Depot, leaks from the e-mail accounts of Democratic Party officials, and, most recently, a massive distributed denial of service attack on the servers of Dyn that shut down Twitter and other major Internet companies for several hours—have driven significant increases in cybersecurity awareness and spending, the report notes. Even so, the sentiment among the surveyed executives suggests organizations will continue to pursue the same countermeasures rather than investing in new and different cybersecurity controls to mitigate threats.
For example, given extra budget, half of the respondents indicated they would “double down” on their current cybersecurity spend priorities—even though those investments haven’t significantly deterred regular and ongoing breaches. These priorities include protecting the company’s reputation (cited by 54 percent of the respondents), safeguarding company information (47 percent), and protecting customer data (44 percent). Far fewer executives indicated they would invest the extra funds in efforts that would directly affect the organization’s bottom line, such as mitigating against financial losses (cited by 28 percent of the respondents) or investing in cybersecurity training (17 percent).
What are your thoughts on increasing cybersecurity? Do you see too much fixation on external threats and not enough attention being paid to internal threats?