Only 15 percent of organizations worldwide believe their enterprise is very prepared for an advanced persistent threat (APT) attack, and big gaps in employee education and mobile security remain. These findings come from ISACA’s new 2014 Advanced Persistent Threat Awareness Study, which published today.
The study also found that one in 5 organizations (21 percent) have experienced an APT attack, and 66 percent believe it’s only a matter of time before their enterprise is hit by an APT. Among the companies that have been attacked, only one in three could determine the source.
APTs are stealthy, relentless and single-minded, and their aim is to take information such as valuable research, intellectual property or government data. In other words, enterprises cannot afford to be anything less than very prepared—and that preparation requires more than just the traditional technical controls.
However, the majority of responding organizations still say their primary APT defense is technical controls such as firewalls, access lists and anti-virus, which are critical for defending against traditional treats, but not sufficient for preventing APT attacks. Nearly 40 percent of enterprises report that they are not using user security training and controls to defend against APTs—a critical component of a successful cybersecurity plan. Worse yet, more than 70 percent are not using mobile controls, even though 88 percent of respondents recognize that employees’ mobile devices are often the gateway to an APT attack.
While more enterprises report that they are adjusting vendor management practices (23 percent) and incident response plans (56 percent) to address APTs this year, the numbers still need significant improvement.
The good news is that more enterprises are attempting to better prepare for APTs this year. The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them—and more security training is critically needed.
As part of our new Cybersecurity Nexus (CSX) program, we will offer some of that training through events such as free webinars. We recently kicked off a six-part cybersecurity webinar series, and the third webinar will be all about APTs. I encourage you to attend and learn more about this important topic.
And tell me—do any of these survey findings surprise you? Are they in line with what’s happening at your organization? Respond below or tweet me at @RobertEStroud or @ISACANews.
Robert E Stroud, CGEIT, CRISC
ISACA International President