Cyber-Attackers Have Advantages, but Enterprises Must Fight Back

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.eweek.com/security/cyber-attackers-have-advantages-but-enterprises-must-fight-back.html

Over the past three years, the IT security community has gradually come to
the consensus that every company should assume that their systems have been
breached. While the lack of faith in their technology, tools and people
may, on some level, be practical, it should not be a reason to give up,
security experts stress.

The latest report from the Ponemon Institute released this week shows, for
example, the inexorable spread of the idea of an inevitable breach. Of the
more than 4,800 professionals surveyed for the report—which was sponsored
by security firm Websense—51 percent believe that their security measures
will not stop cyber-criminals from stealing valuable data, and another 12
percent were unsure whether their methods would be effective. In addition,
nearly 70 percent of the respondents believed that some cyber-security
threats escaped notice or were not dealt with appropriately, according to
the Exposing the Cybersecurity Cracks report.

On some level, the survey shows that IT security professionals have become
more practical and are less likely to invest in a false sense of security,
Jeff Debrosse, director of security research for Websense, told eWEEK.
Because attackers are able to gain intelligence on corporate defenses, they
have a first-mover advantage and the ability to actively look for
vulnerabilities. Realizing that, makes defenders better equipped to prepare
for breaches, he said.

"I know that, as a practitioner, no matter what solution I deploy, no
matter how high-end the solution, at the end of the day, you are still not
going to get 100 percent of the things that that solution is designed to
protect against," Debrosse said.
The barrage of breach news from such well-funded companies such as Adobe,
AOL and Target could dishearten IT security workers. Companies continue to
be vulnerable to advanced attacks, with most IT security practitioners
expecting some online attacks to make it past their defenses while nearly
half of executives continue to have a poor understanding of security
issues, the Ponemon Institute's survey data shows.

"The overall analysis indicates that a majority of security professionals
do not feel adequately armed to defend their organizations from threats,”
Larry Ponemon, chairman and founder of the Ponemon Institute, said in a
statement.

Nearly half of breaches have targeted customer data, while 39 percent have
solely focused on, or additionally attempted to steal, intellectual
property.

With the acceptance of these successful compromises, security experts are
recommending that companies build better systems to detect and respond to
attacks. A key problem, however, is that companies are not sharing
information, but attackers are doing so, Debrosse said. Companies should
start looking for opportunities to communicate threats within their
industries as a way to prevent attackers from having simple attacks, he
said.

"Within a vetted group, they could share threat intel," he said. "That can
be really helpful because, even with less people, they are still able to
communicate what they know and what they have learned."

Another problem the survey identified is that security practitioners and
business leaders fail to communicate properly about the impact that
security threats could have on the business. A stunning 80 percent of the
survey's respondents stated that business executives did consider that the
loss of data could lead to lost income. A prior Ponemon study found that
the average loss to a large organization in a data breach reached $5.4
million.

"Executives need to understand that data is the gold and is the currency
that we really work with today," Debrosse said. "Attackers are going after
that."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!