A recent report from IBM titled “2014 Cyber Security Intelligence Index” provides an up-to-date, high-level overview of the major threats facing organizations today and the trends being seen in the evolution of the threat landscape. With data gathered through the monitoring of clients’ technology platforms worldwide and analysis of the security intelligence gleaned, it describes the types of attacks being seen and their impact on organizations.
The report describes the threat landscape as dominated by well-funded and businesslike adversaries using extremely sophisticated, targeted attacks. However, organizations are still falling foul of negligent employees who continue to put businesses at risk, and security investments made in the past are not up to the task of protecting against the new classes of attack.
Organizations Overlooking the Fundamentals
As a result, the report postulates that organizations may be more vulnerable than they think and are not doing enough in the battle against cyber crime. Just 23 percent use cloud security protection, 32 percent have access to the latest threat intelligence and only 43 percent perform penetration testing or ethical hacking. Overall, it found that up to 40 percent of organizations are missing critical security protections. This shows that organizations are overlooking the IT fundamentals that can enhance their ability to mitigate risk.
Security Events on the Rise
The threat landscape continues to expand. In 2013, the number of security events increased by 12 percent over 2012, reaching 91 million events in 2013. Organizations need to respond by implementing more up-to-date security controls that are more proactive in nature. In particular, the need for security intelligence tools, supplanted by human analysis of the most serious incidents, is stark. IBM researchers state that security intelligence makes it possible to reduce millions of cyber security events suffered in any given year to an average of 16,900 attacks, which amounts to an average of 109 incidents per organization per year.
Reputations on the Line
Of all the incidents analyzed by IBM’s computer security incident response team, just 3 percent can be classified as “noteworthy” because the level of security impact is sufficiently high. The most common impact of such noteworthy events is data disclosure and theft, which can have huge consequences for an organization’s reputation. IBM’s research shows that 61 percent of organizations say that data theft and cyber crime are the greatest threats to their reputation.
According to research from the Ponemon Institute regarding the economic impact of IT risk and reputation, “substantial events,” which would largely equate to the definition of noteworthy, account for 75 percent of the total costs resulting from security incidents but for 92 percent of costs related to reputation and brand damage, which are the single largest category of costs at an average of $5.3 million per substantial event.
Human Error Looms Large
As the old saying goes, to err is human. But those errors are extremely costly: The “Cyber Security Intelligence Index” found that 95 percent of all security incidents involve human error, from misconfigurations and poor patch management practices to the use of insecure or default credentials, the loss of equipment or the disclosure of sensitive information through careless mistakes. Social engineering tactics are increasingly favored by attackers, highly targeted against specific individuals with the aim of tricking them into providing access to networks and the sensitive data they contain. While there are some technology safeguards for some problems caused by human error, IBM researchers state that the best strategy is to educate employees on an ongoing basis so that they are able to identify and defend themselves against suspicious communications and potential risks to their organizations.
Malicious Code, Sustained Probes Dominate the Cyber Security Landscape
Together, the use of malicious code and sustained probes or scans by outsiders account for a total of 58 percent of incidents seen by organizations. In many cases, malware and probes go hand in hand, with probes used to identify targets before malware is unleashed. However, a category of attack that has increased considerably is that of unauthorized access to systems, accounting for 19 percent of incidents, up 6 percent over the previous year. This is often the third prong of the attack, following probes and the use of malware to gain access to networks and then elevate privileges once a foothold has been gained. This is in line with the rise of highly targeted attacks, and they will likely only increase. No matter how savvy some employees are, there will always be weak links and attacks will be successful. The onus is on organizations to upgrade their ability to continuously monitor their networks for any signs of suspicious or abnormal activity, looking for signs of both unauthorized access as well as suspicious traffic activity.
Organizations Must Act Now
IBM’s report should be a call to action for many organizations, as the results of this research show that they are more vulnerable to cyber security incidents than they apparently think they are. It cautions that criminals will not relent and, unless organizations have full, real-time visibility into events affecting their networks, those criminals will succeed. All organizations should take heed — not just those with valuable intellectual property, customer information or high public visibility. Everyone is a target, and every organization should consider the possibility — perhaps probability — that they have already been breached. The stakes are high, and the time to act is now.