The latest Ponemon Institute study called the chances of an organization being hacked in a 12-month period a "statistical certainty."
Cyber-attacks are becoming more frequent and severe with the
vast majority of businesses suffering as least one data breach in the past
year, according to a new Ponemon Institute survey.
Businesses of all sizes are being hit by cyber-attacks, as
90 percent of surveyed businesses reported at least one IT security breach in
the past 12 months, the Ponemon Institute found in its latest report, published
June 22. More than half of those respondents, or 90 percent, claimed two or
more breaches over the same period. Nine percent reported five or more network
intrusions in the past year.
More than half of the respondents had little confidence of
being able to prevent another cyber-attack over the next 12 months, according
to the survey. About 43 percent of the respondents in the study said there was
a significant rise in the frequency of cyber-attacks during the past year and
77 percent said the attacks had become more severe or difficult, to contain,
the study found.
"The threat from cyber attacks today is nearing statistical
certainty and businesses of every type and size are vulnerable to attacks," the
Ponemon Institute said.
After insider abuse, malware accounted for most data
breaches, according to the study. The report found that 52 percent of the
incidents were the result of malicious insiders. The remainder, or 48 percent,
of the breaches were the result of malicious software, either as downloads,
embedded on a rogue Website, or distributed by social networking sites, the
study found. A mere 19 percent of the breaches could be attributed to system
Worryingly, 40 percent of the organizations didn't know the
source of their security breaches with only 11 percent saying they knew where
the security incident had originated.
"Our survey research provides
evidence that many organizations are ill-equipped to prevent cyber attacks
against networks and enterprise systems," said Larry Ponemon, chairman and
founder of the Ponemon Institute.
Most companies have spent a "small fortune" trying
to protect their IT infrastructure from attack, Mark Bower, data protection
expert at Voltage Security, told eWEEK. Organizations have implemented network
security and monitoring tools, intrusion detection and prevention, data leak
and content scanning products as well as identity and access management platforms,
Bower said. But attackers are consistently getting past these measures.
"Breaches will happen. Criminals will find a way in if
not through the front door, then a back door or a window or by using social
engineering or another form of trickery," Bower said.
Organizations need to stop focusing their security measures
on the network perimeter or on the endpoint, but rather by protecting the data,
according to Bower.
About 59 percent of respondents said the theft of
information assets was the most serious consequence of a security breach,
followed by business disruption. Nearly 41 percent of the companies surveyed
said overall the security breaches had cost them at least half a million
dollars to address, when costs such as cash outlays, business disruption,
revenue losses, internal labor and overhead were taken into account. Another 16
percent were unable to calculate their losses.
"The size and complexity of today's security threats continue
to intensify leaving organizations and governments vulnerable to cyber
attacks," said Mark Bauhaus, executive vice president and general manager of
Juniper Networks Device and Network Services business group at Juniper
The survey, sponsored by Juniper Networks, comes after a barrage
of high-profile attacks that have compromised organizations such as RSA
Security, Lockheed Martin, and the International Monetary Fund. The report
included 583 IT security professionals from the United States, United Kingdom,
France and Germany. A little more than half of these professions worked for
companies with more than 5,000 employees.