Today’s information security environment is challenging to put it mildly. The Cyberthreat Defense Report published last week by CyberEdge Group revealed that 76% companies fell victim to a breach in 2015 and 62% of over 1,000 IT security decision makers surveyed expect another one this year. When nearly two-thirds of companies expect a successful breach in 2016 it is a cause for concern. However, keep in mind that only 52% expected a breach in 2015, but 76% reported an incident. For 2014 only 38% expected a breach, but 71% were victims. History tells us that 62% is probably too optimistic and the actual breach number in 2016 will hit closer to 80% or higher of all businesses.
“That said, there are signs that pessimism – or perhaps it’s realism – is increasing among respondents, at least in relative terms. To begin with, the differential in the two statistics from above – reflecting the prior year’s actual occurrence of breaches compared to the next year’s expected occurrence of breaches – has steadily decreased in each of the past three years, from a high of 23.0% to the current low of 13.5%. In other words, the degree of optimism is shrinking,” according to a study analysis by the CyberEdge Group.
There’s good reason for this rising pessimism. The rules have changed. IT professionals no longer have complete control over their network as businesses invest in technologies like mobile, social and cloud software. When it comes to defending against cyber threats, mobile devices were identified as security’s weakest link. Survey respondents reported a 65% increase in mobile threats in 2015, and only 4.7% experienced a decrease in number. Mobile devices are often the easiest entry point to target-rich networks for cyber attackers. A 2015 study by Veracode found that, “the average global enterprise has 2,400 unsafe applications installed on employees’ mobile devices.”
The biggest obstacles to effective cybersecurity also appear to be uncontainable: employee practices and device proliferation. As more companies implement BYOD for mobile and utilize cloud software services, their cyber threat exposure rises. Only 30% of survey respondents believe they have the right tools to monitor the activities of privileged users. A PwC survey also found that 86% of enterprises reported exploits of IoT components in 2015, up from only 34% in 2014. This follows logically from a Cixtrix finding that “The number of devices managed in the enterprise increased by 72% between 2014 and 2015.” Information security professionals must secure more devices and applications than ever before—many of which the enterprise does not control—without the ability to effectively screen for potential vulnerabilities and threats.
Given these facts, it’s no wonder that the Cyberthreat Defense Report results show only 11.6% of respondents believe it’s “not likely” their secure data will be breached in 2016. This is down significantly from the almost 25% who believed that just a year ago. The attack surface is simply expanding faster than the capacity and capabilities of information security teams and tools respectively.
Rising Cyber Attacks
As in any war, a larger attack surface means increased vulnerability because there is more to defend. This puts larger organizations at risk especially. Organizations with over 10,000 employees report “being hit 6 times or more or roughly twice the rate of their smaller counterparts,” according to the CyberEdge Group survey.
The sophistication level of the cyber attacks is also increasing. The average breach detection times exceed 200 days because cyber attackers have become skilled at avoiding the detection traps of the leading cybersecurity vendors. Attackers are also moving faster according to Symantec’s 2015 Internet Security Threat Report. The report found “2014 had an all-time high of 24 discovered zero days. In total, the top five zero days of 2014 were actively exploited by attackers for a combined 295 days before patches were available.” The same report discovered attackers are also becoming more efficient. They going after 20% fewer targets while increasing attacks by 60% on small and medium-sized organizations that have fewer security resources.
The market data is consistent. More problems are on the horizon. However, companies are not standing still. Seventy-five percent of respondents expect their IT security budget to increase in 2016. This includes a finding that, “85% are spending more than 5% of their IT budgets on security. Nearly a third are spending more than 16%.”
Next week we will break down where spending is expected to grow including the rising interest for information security analytics. The need for new spending and new approaches is clear. But breaches and vulnerabilities are expanding quickly and even with more realism among information security professionals, historical data tell us they are probably too optimistic.
By Scott Raspa