According to ESG Research, 20% of large organizations are certain that they've been the target of an APT attack while another 39% say that it is likely they have been targeted. Can organizations detect and react to sophisticated attacks like APTs?
Unfortunately, the answer is likely "no" in both cases. ESG asked 244 security professionals working at enterprise (i.e., more than 1,000 employees) organizations to define their biggest incident response challenges. The list indicates both IT and organizational weaknesses. On the technical side:
- 32% were challenged by a lack of security forensic skills
- 29% were challenged by an overall lack of technical skills within their incident response team
- 26% were challenged by their incident response team's ability to gather relevant information
As for the organization:
- 26% were challenged by a lack of executive management buy-in to incident response policies and procedures
- 25% were challenged by a lack of integration between the incident response and legal team
- 23% were challenged by the lack of a formal external communication plan
- 23% were challenged by the lack of a formal internal communication plan
The data speaks for itself, but as an analyst I have to add my two cents. Large organizations don't have the right skills or tools to know if they are under attack. Furthermore, when they do discover a security breach, IT and business managers run around like proverbial chickens with their heads cut off, not knowing what to do next.
These incident response shortcomings and delays could equate to a whole lot of incremental costs in terms of data breaches, compliance violations, stock valuation, lost business, litigation, and so on.
Clearly there is a lot of work to be done on all fronts. Security professionals need better skills and tools but at least this is fairly well understood. It may be more difficult to convince CEOs and other executives that they need a formal, documented, and tested plan for unavoidable security breaches.
Progressive CEOs will free up funds and increase security budgets in 2012. Leading CEOs will take their organizations to the next level by preparing their organizations to respond to security breaches in an appropriate and timely manner. Unresponsive CEOs may lose their jobs when the public learns that they chose to ignore rather than address cybersecurity risks.
You can read Jon's other blog entries at Insecure About Security.