Data Breaches Hit More Organizations in 2014

This year's Cyberthreat Defense Report shows an increase in the number of organizations that admit they were breached.

security breach

As attacks continue to rise, security budgets are increasing, according to the 2015 Cyberthreat Defense Report (CDR), which is based on a survey of 814 security decision makers and practitioners.

More than seven in 10 respondents (71 percent) noted that their networks were breached in 2014, up from 62 percent in last year's study.

The number of organizations with multiple security breach incidents also rose, according to the report, which was written by CyberEdge Group and sponsored by Blue Coat Systems, Citrix Systems, NetIQ, PhishMe, Tenable Network Security, ThreatTrack Security, Webroot, CloudLock, Cylance, Endgame, iSIGHT Partners and Triumfant. In 2014, 22 percent of respondents said their networks were breached six or more times, up from 16 percent in 2013.

More breaches are in store for this year. More than half the study participants (52 percent) said they expect a successful cyber-attack in the next 12 months. In contrast, in last year's report, 39 percent of respondents noted that they expected a successful cyber-attack in the coming year.

The study found that phishing and spear-phishing attacks generate the most concern. "Phishing and spear-phishing attacks keep security professionals up at night because they are effective and low-cost attack vectors," Renee Bradshaw, senior solutions marketing manager, NetIQ, told eWEEK. "As you look at the biggest breaches of the last year, targeted spear-phishing attacks involving malware were at the leading edge of extended campaigns to breach the defenses of victim organizations' networks and exfiltrate sensitive data."

Phishing attacks also serve as a reminder that people are an organization's biggest security threat, Bradshaw said. She noted that phishing emails work over and over again precisely because a person is involved.

The Cyberthreat Defense Report also asked respondents to rank how different factors inhibit an organization from properly defending itself against cyber-threats. The top inhibitor was low security awareness, followed by lack of budget.

"Security teams are finding that keeping sensitive organizational data secure is less about ineffective tools and more about keeping users out of trouble," Bradshaw said.

Looking at security budgets, there is some reason for optimism, with 62 percent of respondents expecting security budgets to rise this year, compared with 48 percent of respondents in last year's report.

The study shows that endpoint security platforms will be a key area of focus in 2015. Slightly more than two-thirds (67 percent) of respondents noted that they intend to either replace or augment existing endpoint security products, compared with 55 percent last year.

For Bradshaw, the biggest surprise in the study was that 23 percent of respondents said they feel "very strongly" that their privileged user monitoring investments are not adequate. "Users with privileged or elevated access can do the most damage simply because they have the most access to our most sensitive data," Bradshaw said. "In particular, the credentials of privileged users are highly prized by cyber-criminals because these users require elevated rights to do their jobs and to keep the business running."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.