Security Breaches Near ‘Statistical Certainty’: Study

A study has found that 90 percent of organisations suffered a security breach in the past 12 months

Businesses of all sizes are feeling a growing lack of confidence about their ability to prevent attacks on their networks, as the frequency and cost of security breaches continues to rise, according to a study published on Wednesday by the Ponemon Institute.

The study, sponsored by Juniper Networks, found that 90 percent of businesses had been hit by at least one IT security breach in the past 12 months, with more than half, or 59 percent, citing two or more breaches in that period.

‘Statistical certainty’

“The threat from cyber attacks today is nearing statistical certainty and businesses of every type and size are vulnerable to attacks,” the Ponemon Institute said in a statement.

The survey comes on the heels of a string of high-profile cyber-attacks that has targeted organisations including security vendor RSA, Lockheed Martin, the International Monetary Fund, the FBI and the CIA.

The explosion of mobile devices has contributed significantly to businesses’ sense of insecurity, with laptops and other mobile kit seen as the most likely points from which attacks are launched against a company, the study found.

Employee laptop computers were the source of 34 percent of breaches, while employee mobile devices were the source of 29 percent of breaches, Ponemon found.

Forty-eight percent of breaches were caused by a malicious software download, 43 percent from malware encountered on a website and 29 percent from malware encountered via social media. System glitches caused 19 percent of breaches, and malware from text messages caused 3 percent.

However, most organisations didn’t know the source of all of their security breaches, with only 11 percent saying they knew where all of their security incidents had originated.

The companies surveyed said overall the security breaches had cost them at least half a million dollars to address, when costs such as cash outlays, business disruption, revenue losses, internal labour and overhead were taken into account.

Data theft

The most serious consequence of a breach, according to 59 percent of respondents, was the theft of information assets, followed by business disruption.

Forty-three percent of the companies in the study said there had been a significant rise in the frequency of cyber-attacks during the past 12 months and 77 percent said the attacks had become more severe or difficult to contain, Ponemon said.

As a result more than one-third of the respondents said they had “low confidence” in their ability to prevent a network security breach, the study found.

The 583 US-based participants in the study ranged from smaller organisations with less than 500 employees to enterprises with more than 75,000 staff. The study was based on an online survey conducted over a five-day period in June.

The survey shows that current IT security systems are not keeping up with the challenges facing them, despite many organisations – 28 percent – earmarking more than 10 percent of their budgets to security, according to Ponemon.

“This study suggests conventional network security methods need to improve in order to curtail internal and external threats,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement.

Prevention vs. quick response

As a result of the rising certainty of security breaches, some industry observers have suggested organisations should turn their attention to preparing for the detection and response to an incident, rather than to preventing attacks.

The Ponemon survey found that 16 percent of organisations had the quick detection and response to security incidents as their primary security focus, while 32 percent continued to primarily focuson preventing attacks. About 25 percent said they were focused on aligning security controls with industry best practices.