A new report by the Ponemon Institute shows that cyber attacks are costing companies $3.5 million per year, but the majority of businesses don't have the proper strategies to manage these threats.
Cyber attacks may cost businesses big bucks, but that doesn't mean that organizations are prepared for them. According to a report released Monday, 79% of IT and IT security professionals don't have the proper infrastructure to identify and defend against cyber attacks.
The report, Security Beyond the Traditional Perimeter, was based on research conducted by the Ponemon Institute, and sponsored by BrandProtect, was based on answers from 591 respondents from 505 different companies. On average, these companies experienced more than one cyber attack per month, and cost them roughly $3.5 million a year. If that seems like a lot of money, consider the prediction that, by 2019, cyber crime will cost businesses $2 trillion, according to Juniper Research.
"The majority of security leaders understand that these external internet threats imperil business continuity," said Larry Ponemon, president of the Ponemon Research Institute. "The study highlights a gap in defenses against threats that have proven to be extremely effective for cyber criminals and costly for enterprises."
SEE: Information security policy template (Tech Pro Research)
This report focused primarily on external threats, such as "socially engineered attacks, executive impersonations, brand-based attacks with ransomware, malware, or other payloads, rogue social domain activity, hacktivism/activism and activities which violate compliance or regulatory requirements."
Of those surveyed, 62% said external threats were harder to detect than internal threats, and 52% said that they were more difficult to contain. That is important because an additional 59% said that "the protection of intellectual property from external threats is essential or very important to the sustainability of their companies."
As noted, despite the potential problems that could be presented in the aftermath of such an attack, nearly 80% of businesses don't have proper security measures in place. Here is how that 79% of responses broke down:
- Security is non-existent - 38%
- Security is ad hoc - 23%
- Security is inconsistently applied throughout the enterprise - 18%
So, what's holding back the security practices at these organizations? Across the board, most respondents said it was a lack of tools and resources.
However, external threat is a broad term and could encompass a variety of threat vectors. Respondents were asked to rank threats from 1-9 in terms of likelihood of occurrence (9 being the most likely), and the rankings were as follows:
- Cyber threats and incidents - 8.21
- Data loss or theft - 7.99
- Branded exploits against customers and the public - 6.78
- Compliance/regulatory incidents - 6.24
- Phishing/social engineering attacks - 5.03
- Denial of service - 4.11 Hacktivism/activism/event/physical threats - 3.42
- Domain-based threats/cyber-attack infrastructure creation - 2.32
- Executive threats / impersonations - 1.91
The next question the report looked at was what exactly these organizations feared as a result of these attacks. The biggest worry was reputational damage, with 51% of respondents. Branded exploits (40%) and compliance/regulatory incidents (33%) were also high on the list.
While 79% were not monitoring the internet or social media for new threats, they did still see it as a critical action. Monitoring mobile apps and cyber incidents were also seen as key actions to help avoid a cyber attack. Additionally, 60% said collecting phishing IP addresses was essential, 59% said malicious mobile app details should be accounted for, and 54% said rogue domain data was important.
As a response to this, many respondents believed that their internal network monitoring and firewall monitoring would increase over the next 24 months.
SEE: 4 security best practices to learn from the FDIC's data breaches (TechRepublic)
In terms of what's holding these organizations back from better monitoring, insufficient risk awareness was the biggest barrier, according to 50% of respondents. Lack of knowledgeable staff was cited by 45%, and lack of technologies and tools was chosen by 43% as well.
A major theme was a lack of tools and resources, but respondents did list the tools and skills that they thought would make them better able to contain external threats. These were ranked 1-7, with 7 being the most important.
- Actionable intelligence - 6.53
- Resilience - 6.01
- Strong security posture - 4.87
- Expert staff - 4.15
- Leadership - 3.55
- Ample resources - 2.31
- Agility 1.67
To view the full report, click here.
The 3 big takeaways for TechRepublic readers
- Nearly 80% of businesses aren't properly monitoring or responding to external cyber threats, according to a report from the Ponemon Institute.
- In total, these attacks are costing businesses $3.5 million a year, and cyber crime will cost businesses as a whole around $2 trillion by 2019.
- A big theme of the report was businesses lacking the tools and resources needed to combat cyber attacks, and they listed actionable intelligence as the tool that would help the most.
- Microsoft doesn't have to give US government foreign data, says court (TechRepublic)
- Now ransomware is taking aim at business networks (ZDNet)
- Simple security: How Gmail, Mailvelope, and Virtru make encrypted email easier (TechRepublic)
- Why AI could be the key to turning the tide in the fight against cybercrime (ZDNet)
- How to develop a bug bounty program (TechRepublic)