25% of breaches go undetected for more than a day

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/secworld.php?id=16813

Recent data breaches have had little impact on the security controls of
retail and financial organizations, according to Tripwire.

Of the 102 financial organizations and 151 retail organizations in the U.K
that took part in the survey, 35 percent said it would take as long as two
to three days to detect a breach on their systems. However, according to
the 2014 Verizon Data Breach Investigations Report, 85 percent of
point-of-sale intrusions took weeks to discover and 43 percent of web
application attacks took months to discover.

When asked how important PCI compliance is to their overall security
program, 43 percent of respondents said it was the backbone of their
security program, and 36 percent said it was half of their security
program. In order to protect confidential customer data, organizations must
apply additional security controls.

It is shocking to see the high level of confidence exhibited by respondents
in the wake of the recent series of high-profile cardholder data breaches,”
said Tim Erlin, director of IT security and risk strategy for Tripwire, in
response to the findings. “Sixty percent of respondents said they are
confident that their security controls are able to prevent the loss of data
files, but this confidence flies in the face of recent evidence to the
contrary.”

Other findings include:

- 24 percent of those studied have already suffered a data breach where
Personally Identifiable Information (PII) was stolen or accessed by
intruders.
- 36 percent of respondents do not have confidence in their incident
response plan.
- 51 percent of respondents are only somewhat confident that their security
controls can detect malicious applications.
- 40 percent of respondents said they do not believe that recent high
profile cardholder breaches have changed the level of attention executives
give to security.

“It is great that recent breaches have increased cybersecurity awareness
and internal dialogue,” said Dwayne Melancon, chief technology officer for
Tripwire. “However, the improved internal communication may be biased by a
false sense of security. For example, 95 percent of respondents said they
would be able to detect a breach on critical systems within a week. In
reality, nearly all of the recent publicly disclosed breaches have gone on
for months without detection.”

Melancon continued: “Furthermore, only 60 percent of respondents believe
their systems have been hardened enough to prevent the kind of data loss
similar to that seen in recent high profile breaches. These attitudes seem
to indicate a high degree of overconfidence or naiveté among information
security practitioners. I believe a number of these organizations may be in
for a rude awakening if their systems are targeted by criminals.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!