Only 15 per cent of information security professionals say that they are “very prepared” for a targeted attack, yet one in five have experienced such an incident.
According to a study of 1,220 security professionals by ISACA, 66 per cent believe it’s only a matter of time before their enterprise is hit by an APT. Despite one in five being a victim, only one in three could determine the source.
Steven Babb, international vice president of ISACA, said: “Work remains to be done to ensure that APT’s are fully understood and that investment to mitigate this risk is focused in the right areas. ISACA’s recently launched Cybersecurity Nexus programme has been devised to help address Cybersecurity challenges, including APT’s.”
The ISACA survey found that the majority of responding organisations say their primary APT defense is technical controls such as firewalls, access lists and anti-virus, which it said are not sufficient for preventing APT attacks.
Also nearly 40 per cent of enterprises report that they are not using user security training and controls to defend against APTs, yet less than 30 per cent are not using mobile controls, even though 88 per cent of respondents recognise that employees’ mobile devices are often the gateway to an APT attack.
Mark Sparshott, director of EMEA at Proofpoint, said: “The fact that 50 per cent of security professionals who responded to the survey do not see APTs as highly differentiated from traditional attacks means that 50 per cent of those interviewed should consider a career change.”
While more enterprises report that they are adjusting vendor management practices (23 percent) and incident response plans (56 percent) to address APTs this year, the numbers still need significant improvement.
Rory Innes, head of cyber security at the Salamanca Group, told IT Security Guru that nine out of ten businesses do not need to buy new technology to defend themselves, as they can work with what they have already got. “They have got people and process, but they need to convince the C-suite to spend on IT security, and there is always a feeling that they do not know if it makes a difference, but they have to build it into their risk appetite,” he said.
“There is a certain amount of cycnicism on the latest trends and what the press write about APTs and breaches, but APTs are not necessarily complex as it can be with basic methods and the attacker is just looking for a return on investment as most organisations don’t know how to good change or patch management.”