Data Breach Threat to Businesses Rises to Statistical Certainty: Survey

The latest Ponemon Institute study called the chances of an organization being hacked in a 12-month period a "statistical certainty."

Cyber-attacks are becoming more frequent and severe with the vast majority of businesses suffering as least one data breach in the past year, according to a new Ponemon Institute survey.

Businesses of all sizes are being hit by cyber-attacks, as 90 percent of surveyed businesses reported at least one IT security breach in the past 12 months, the Ponemon Institute found in its latest report, published June 22. More than half of those respondents, or 90 percent, claimed two or more breaches over the same period. Nine percent reported five or more network intrusions in the past year.

More than half of the respondents had little confidence of being able to prevent another cyber-attack over the next 12 months, according to the survey. About 43 percent of the respondents in the study said there was a significant rise in the frequency of cyber-attacks during the past year and 77 percent said the attacks had become more severe or difficult, to contain, the study found.

"The threat from cyber attacks today is nearing statistical certainty and businesses of every type and size are vulnerable to attacks," the Ponemon Institute said.

After insider abuse, malware accounted for most data breaches, according to the study. The report found that 52 percent of the incidents were the result of malicious insiders. The remainder, or 48 percent, of the breaches were the result of malicious software, either as downloads, embedded on a rogue Website, or distributed by social networking sites, the study found. A mere 19 percent of the breaches could be attributed to system glitches.

Worryingly, 40 percent of the organizations didn't know the source of their security breaches with only 11 percent saying they knew where the security incident had originated.

"Our survey research provides evidence that many organizations are ill-equipped to prevent cyber attacks against networks and enterprise systems," said Larry Ponemon, chairman and founder of the Ponemon Institute.

Most companies have spent a "small fortune" trying to protect their IT infrastructure from attack, Mark Bower, data protection expert at Voltage Security, told eWEEK. Organizations have implemented network security and monitoring tools, intrusion detection and prevention, data leak and content scanning products as well as identity and access management platforms, Bower said. But attackers are consistently getting past these measures.

"Breaches will happen. Criminals will find a way in if not through the front door, then a back door or a window or by using social engineering or another form of trickery," Bower said.

Organizations need to stop focusing their security measures on the network perimeter or on the endpoint, but rather by protecting the data, according to Bower.

About 59 percent of respondents said the theft of information assets was the most serious consequence of a security breach, followed by business disruption. Nearly 41 percent of the companies surveyed said overall the security breaches had cost them at least half a million dollars to address, when costs such as cash outlays, business disruption, revenue losses, internal labor and overhead were taken into account. Another 16 percent were unable to calculate their losses.

"The size and complexity of today's security threats continue to intensify leaving organizations and governments vulnerable to cyber attacks," said Mark Bauhaus, executive vice president and general manager of Juniper Networks Device and Network Services business group at Juniper Networks.

The survey, sponsored by Juniper Networks, comes after a barrage of high-profile attacks that have compromised organizations such as RSA Security, Lockheed Martin, and the International Monetary Fund. The report included 583 IT security professionals from the United States, United Kingdom, France and Germany. A little more than half of these professions worked for companies with more than 5,000 employees.