Organizations Overlook Powerful New, Unknown Cyberthreats
By: Homeland Security Today Staff
02/25/2014 ( 7:20pm)
Among global IT decision-makers who participated in a recent global security survey by Dell, Bring Your Own Device (BYOD), cloud and the Internet were the top areas of concern for security threats.
“A new generation of unknown security threats stemming from megatrends and technologies like BYOD, mobility, cloud computing and Internet usage, as well as internal actions both accidental and malicious, introduce organizations to a multitude of new risks,” Dell said about the survey. “However, the majority of IT leaders around the world say they don’t view these threats as top security concerns and are not prioritizing how to find and address them across the many points of origin.”
“Epidemic threats come from all perimeters, both inside and outside of the organization, and are often hidden in poorly configured settings or permissions, and ineffective data governance, access management and usage policies,” Dell said.
“The dramatic spike in social engineering, malicious and/or accidental internal attacks, as well as sophisticated, advanced persistent threats means the organization is vulnerable from all directions,” Dell noted, stressing that “All stakeholders must immediately take action to strengthen access to points inside and outside the perimeter, and help users prevent such attacks.”
Its global security survey of leading public and private sector security decision-makers gauged their awareness of, and preparedness for this new wave of threats plaguing IT security.
The survey “revealed that 76 percent of IT leaders surveyed (93 percent in the United States) agree that to combat today’s threats, an organization must protect itself both inside and outside of its perimeters. This requires not only a comprehensive set of solutions that protects from the inside out and the outside in -- from the endpoint, to the data center to the cloud -- but one that also connects these capabilities to provide deeper insights and stronger predictive analytics so that strategic action can be taken quickly.”
However, the survey found that while security breaches cost US organizations an estimated $25.8 billion annually, “many fail to effectively recognize and prioritize the next big wave of risk to IT security from unknown threats.”
Eighty-three percent said their current security processes enable IT to immediately identify a security breach, but the actual detection of the breach took seven hours on average.
Furthermore, while nearly three-quarters of organizations surveyed admitted to experiencing a security breach within the last 12 months, only 18 percent consider predicting and detecting unknown threats a top security concern.
“In fact, when respondents were asked to look at long term priorities, only 37 percent ranked unknown threats as a top security concern in the next five years,” Dell’s survey found.
With regard to BYOD security, “A sizable number of respondents highlighted mobility as the root cause of a breach, with increased mobility and user choice flooding networks with access devices that provide many paths for exposing data and applications to risk,” according to the Dell white paper on the survey.
Ninety-three percent of organizations surveyed allow personal devices for work, and 31 percent of end users access the network on personal devices (37 percent in the United States).
Forty-four percent of respondents said instituting policies for BYOD security is of high importance in preventing security breaches, while 57 percent ranked increased use of mobile devices as a top security concern in the next five years (71 percent in the UK).
Twenty-four percent said misuse of mobile devices/operating system vulnerabilities is the root cause of security breaches.
Similarly, another recent security survey by ITIC/KnowBe4 found that 53 percent of businesses are unprepared to deal with hacked or stolen corporate and employee-owned BYOD devices, even though 50 percent of these same businesses indicated company-owned tablets, laptops and smart phones may also have been hacked in the last year.
When it comes to cloud security, “Many organizations today use cloud computing, potentially introducing unknown security threats that lead to targeted attacks on organizational data and applications,” Dell said, noting that the “survey findings prove these stealthy threats come with high risk.
Seventy-three percent of respondents report their organizations currently use cloud services (90 percent in the United States), and nearly half (49 percent) ranked increased use of cloud as a top security concern in the next five years, suggesting unease for the future as only 22 percent said moving data to the cloud was a top security concern today.
In organizations where security is a top priority for next year, 86 percent are using cloud services and 21 percent said cloud apps or service usage are the root cause of their security breaches.
“The significance of the unknown threats that result from heavy use of Internet communication and distributed networks is evidenced by the 63 percent of respondents who ranked increased reliance upon internet and browser-based applications as a top concern in the next five years,” Dell’s survey found.
More than one-fifth of respondents said they consider infection from untrusted remote access (public wifi) among the top three security concerns for their organization and 47 percent identified malware, viruses and intrusions often available through web apps, OS patching issues and other application-related vulnerabilities as the root causes of breaches.
Seventy-percent are currently using email security to prevent outsider attacks from accessing the network via their email channel.
“Traditional security solutions can defend against malware and known vulnerabilities, but are generally ineffective in this new era of stealthy, unknown threats from both outside and inside the organization,” said Matt Medeiros, vice president and general manager, Dell Security Products, Dell Software Group.
“These threats evade detection, bypass security controls, and wreak havoc on an organization’s network, applications and data, but despite these dangers, our study found, among those surveyed, organizations are just not prepared,” Medeiros said. “There is still a disturbing lack of understanding and awareness of the type of impact and detriment caused by the unknown threats that can come from both sides of an organization’s data flow. As a result, we believe a new security approach is needed -- one that’s embedded in the fabric of software, governing access to every application and protecting every device, both inside and outside a corporate network. Only then, with this connected security approach, will organizations have a chance at keeping one step ahead of these epidemic threats that can significantly damage their network.”
“All threats expose an organization to significant risk, but unknown threats, particularly, are silent predators that can have profound and catastrophic implications on performance and continuity,” said Stacy Duncan, vice president, IT, DavCo. “At the same time, compliance demands are ever-growing in complexity. We took proactive steps to guard ourselves both from inside and outside of our perimeters. As a retailer, we take all possible measures to protect our customers, while ensuring PCI compliance for our stores.”
“In today's increasingly complex threat landscape, one of the most common threats comes from employees who download and install unauthorized software, without understanding the potential risks associated with their actions,” said Will Markham, security practice lead, Colt Enterprise Services. “Unfortunately, organizations are not always able to identify new vulnerabilities quickly enough. This is compounded by the anytime, anyplace, anywhere nature of accessing business data -- everywhere from inside the networkto application layers and mobile devices. As an international IT services company, protecting our customers’ information is critical, and we are constantly working to ensure that all measures are in place to ensure their data is secure at all times.”
Mary Hobson, director of eResearch South Australia, said "Although cloud presents massive opportunities for corporate IT in terms of cost savings, security issues are rising to the forefront. Hosting software in the cloud presents security issues that have to be tackled in a thoughtful and connected way, versus in silos or traditional perimeter defenses. In protecting our cloud and making it the best possible platform for our researchers, our strategy includes a sharper focus on security threats that originate both from the application layer and from internal users who may threaten our network either intentionally or by accident.”
Other key findings include:
- 64 percent of respondents agree that organizations will need to restructure/reorganize their IT processes, and be more collaborative with other departments to stay ahead of the next security threat. Of those surveyed in the United States, 85 percent said this approach is needed, contrasting with the UK (43 percent) and Canada (45 percent), which were the least convinced this would be necessary.
- Nearly 90 percent of respondents believe government should be involved in determining organizations’ cyber defense strategies, and 78 percent in the Unites States think the federal government plays a positive role in protecting organizations against both internal and external threats, which underscores the need for strong leadership and guidance from public sector organizations in helping secure the private sector.
- 67 percent of survey respondents say they have increased funds spent on education and training of employees in the past 12 months; 50 percent believe security training for both new and current employees is a priority.
- 54 percent have increased spending in monitoring services over the past year; this number rises to 72 percent in the United States.