APT Study: The Good, the Bad and the Key Takeaways

Today at the CSX North America conference in Washington DC, ISACA released its annual Advanced Persistent Threat Survey of 660 cybersecurity professionals across the globe. Advanced persistent threats (APTs) continue to capture the spotlight in the wake of their successful use to launch several high-profile data breaches. The third in a series of studies from ISACA’s Cybersecurity Nexus (CSX ) that are designed to uncover information security professionals’ understanding and opinions of APTs, technical controls, internal incidents, policy adherence and management support, this report reveals positive trends since the 2014 survey.

The good news is that improvements can be seen in the level of awareness of the unique aspects of APTs and the benefits of addressing them through a variety of countermeasures. A strong correlation clearly exists between the perceived likelihood of an APT attack on the enterprise and the enterprise’s adoption of improved cybersecurity practices. Yet, not all avenues for APT intrusion are fully locked down. Mobile device security is lagging, despite acknowledgment that the “bring your own device” (BYOD) trend increases APT risk, and a preference is seen for technical controls over education and training, even though many successful APT attacks gain entry by manipulating individuals’ innate trust and/or lack of understanding.

Every year, the damage and costs related to cyberattacks multiply at a shocking rate. Major cyberattacks targeting financial, retail, healthcare, government and the entertainment industries have resulted in tens of millions of exposed records, billions spent on remediation and significant damage to many brands. Cybercriminals continue to exploit individuals and enterprises while increasing profits from more than US $300 billion in 2012 to an estimated US $1 trillion in 2014. Juniper Research has predicted that their profits will top US $2 trillion in 2019.

Social engineering remains at the center of APT activity to gain footholds into information systems. Early efforts began with phishing, then evolved to spear phishing, and proceeded on to whaling, which often included an attachment or a link that contained malware or an exploit. However, over the past three years APTs have moved on to the Internet as the main attack vector (e.g., web sites, social media and mobile applications).

As the threat vector continues to evolve, concern remains due to the fact that many organizations are dependent on interconnected relationships to perform key business functions, yet 75 percent of respondents have not updated agreements with third parties for protection against APTs. Gaps in third-party relationships have resulted in many significant breaches because attack visibility is limited. This may be a contributing factor to survey data indicating that 28 percent of respondents have been subject to an APT attack.

However, overall positive change is occurring as a result of the recent high-profile breaches. There has been a significant increase in leadership involvement. Nearly two-thirds of the survey participants (62 percent) indicate that their organizational leadership is becoming more involved in cybersecurity-related activities, and 80 percent see a visible increase in support by senior management. This is a significant positive first-step in the combating the APT.

One thing is clear: to ensure organization cyber resiliency, action is needed from the boardroom to the break room. Everyone plays an important part.

Montana Williams
Senior Manager of Cybersecurity Practices, ISACA

[ISACA Now Blog]