According to research by security outfit ISACA, one in five businesses have experienced an Advanced Persistent Threat (APT) attack and only 15 per cent of the surveyed 1,220 security professionals believed that they were prepared for such an assault.
“It is absolutely critical for enterprises to prepare for them, and that preparation requires more than the traditional technical controls,” ISACA's Tony Hayes told reporters.
Andrew Rose, principal analyst for security and risk at Forrester Research, told us that he believed that it was often a case of “when, not if” when it comes to this type of threat, so two-thirds (66 per cent) was a little low.
He said: “Almost every organisation has data of value, and that means that someone is interested in gaining access to it. It would be interesting to see the same question put to senior business leaders; I'm confident that the level of concern would be lower, which is worrying.”
The survey also found that the majority of respondents say that their primary APT defence is technical controls such as firewalls, access lists and anti-virus, which are critical for defending against traditional treats, but not sufficient for preventing APT attacks.
Rose said: “Traditional security controls are often relied upon merely because of their availability. Organisations take time to realise that existing technologies are failing, and then take time to move onto new solutions - when resource and budget are constrained, the latency is extended, so old tools have to suffice.”
The survey also found that nearly 40 per cent of enterprises report that they are not using user security training and controls to defend against APTs, while more than 70 per cent were not using mobile controls, even though 88 per cent of respondents recognise that employees’ mobile devices are often the gateway to an APT attack.
“It's concerning to see such a high percentage of organisations refusing to prioritise user awareness training. This is a relatively cheap control that can make a real; difference; stats show that the vast majority of cyber attacks leverage the human aspect to gain access,” Rose said.
“The 'human firewall' unfortunately, is rarely 100 per cent effective, so it's unlikely to stop truly dedicated attackers, but it's great for preventing the majority of attacks. Just remember - it's not about security awareness, it's about security behaviour - and they are two different things!”
Ben Johnson, security evangelist for Bit9 + Carbon Black, said: “You can’t stop advanced threats and targeted attacks if you can’t see what’s happening. Prevention, detection and response are built on the ability to see all activity on every endpoint and server.”
Dan Raywood is editor of the IT Security Guru