Over the past three years, the IT security community has gradually come to the consensus that every company should assume that their systems have been breached. While the lack of faith in their technology, tools and people may, on some level, be practical, it should not be a reason to give up, security experts stress.
The latest report from the Ponemon Institute released this week shows, for example, the inexorable spread of the idea of an inevitable breach. Of the more than 4,800 professionals surveyed for the report—which was sponsored by security firm Websense—51 percent believe that their security measures will not stop cyber-criminals from stealing valuable data, and another 12 percent were unsure whether their methods would be effective. In addition, nearly 70 percent of the respondents believed that some cyber-security threats escaped notice or were not dealt with appropriately, according to the Exposing the Cybersecurity Cracks report.
On some level, the survey shows that IT security professionals have become more practical and are less likely to invest in a false sense of security, Jeff Debrosse, director of security research for Websense, told eWEEK. Because attackers are able to gain intelligence on corporate defenses, they have a first-mover advantage and the ability to actively look for vulnerabilities. Realizing that, makes defenders better equipped to prepare for breaches, he said.
"I know that, as a practitioner, no matter what solution I deploy, no matter how high-end the solution, at the end of the day, you are still not going to get 100 percent of the things that that solution is designed to protect against," Debrosse said.
The barrage of breach news from such well-funded companies such as Adobe, AOL and Target could dishearten IT security workers. Companies continue to be vulnerable to advanced attacks, with most IT security practitioners expecting some online attacks to make it past their defenses while nearly half of executives continue to have a poor understanding of security issues, the Ponemon Institute's survey data shows.
"The overall analysis indicates that a majority of security professionals do not feel adequately armed to defend their organizations from threats,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.
Nearly half of breaches have targeted customer data, while 39 percent have solely focused on, or additionally attempted to steal, intellectual property.
With the acceptance of these successful compromises, security experts are recommending that companies build better systems to detect and respond to attacks. A key problem, however, is that companies are not sharing information, but attackers are doing so, Debrosse said. Companies should start looking for opportunities to communicate threats within their industries as a way to prevent attackers from having simple attacks, he said.
"Within a vetted group, they could share threat intel," he said. "That can be really helpful because, even with less people, they are still able to communicate what they know and what they have learned."
Another problem the survey identified is that security practitioners and business leaders fail to communicate properly about the impact that security threats could have on the business. A stunning 80 percent of the survey's respondents stated that business executives did consider that the loss of data could lead to lost income. A prior Ponemon study found that the average loss to a large organization in a data breach reached $5.4 million.
"Executives need to understand that data is the gold and is the currency that we really work with today," Debrosse said. "Attackers are going after that."