A new Kaspersky Lab survey finds that the enterprise is a favorite target of cybercriminals, with the average cost of a security breach now totaling $720,000 for a large company.
By Jack Rosenberger
The enterprise is under constant siege from cybercriminals, nation state-supported attackers, corporate spies, and other digital adversaries, according a new report by Kaspersky Lab, which is based on a survey of nearly 4,000 respondents. Of them, 94 percent reported that their company had been the subject of a cyberattack from an external foe during the last year. And 28 percent of the respondents said they had been the victim of a successful cyberattack during the last year—and lost important business data.
The Kaspersky Lab report, "IT Security Risks Survey 2014: A Business Approach to Managing Data Security Threats," is based on the answers of 3,900 respondents from 27 countries, with 54 percent of the participants being mid-sized, large or very large organizations. While the report found that organizations are more concerned about cybersecurity issues, with 38 percent of the respondents saying the protection of confidential information from data leaks is a top priority, it also found that the cost of failure has increased, with the average cost of a data breach totaling $720,000 for a large enterprise.
Here are five of the report's main findings:
Everyone's Under Attack
Every company is a target. The percent of organizations being the target of an external attack continues to climb, with 94 percent of respondents reporting an outside attack during the last 12 months, a three percent increase from 2013.
Targeted Attacks Increasing
Targeted attacks are on the rise. Twelve percent of organizations were the subject of a targeted attack, a three percent increase from the previous year. In general, the larger the company, the more it is concerned about targeted attacks, with 39 percent of very large companies (50,000+ employees) saying targeted attacks are a major threat.
Cybersecurity Risks Are Underestimated
Enterprises grossly underestimate the risks of new cyberthreats, according to the survey. Kaspersky Lab security experts detect an average of 315,000 new types of malicious programs each day. However, when the respondents were asked to estimate the daily number of malware programs discovered, only 4 percent came close to Kaspersky's estimate. In fact, 69 percent of the respondents estimated 10,000 or less new malicious programs were discovered each day.
Concerned About Data
IT managers are most concerned about data and its protection. The top five concerns of IT managers, according to the survey, is protecting highly sensitive data (34 percent), preventing IT security breaches (29 percent), data protection (28 percent), ensuring continuity of service for business-critical systems (23 percent), and understanding the full range of new technologies and how to use them (23 percent).
Security-Incident Costs Keep Climbing
Data breaches are increasing in their cost, especially for large enterprises. The financial price tag for cyberattacks has grown for the second year in a row, with large companies losing $720,000 per data security incident, 14 percent increase over 2013's average loss of $649,000. Data breaches have different costs, depending on their cause, with targeted attacks being the most expensive for enterprises, at $2.5 million per type, followed by third-party failures ($1.9 million) and network intrusions ($1.5 million).
Four Questions for Kaspersky's Chris Doggett
To gain new insights about the report's findings, CIO Insight Managing Editor Jack Rosenberger interviewed Kaspersky Lab North America Managing Director Chris Doggett about some of its topics, including targeted attacks, centralized software updates and employee security training.
CIO Insight: What surprised you most about the survey data and why?
Chris Doggett: The substantial rise in the number of respondents that indicated they had experienced a targeted attack in the past year was a surprise. While we expected that number to rise given the number of breaches that have occurred over the past year, the significant jump to 12%, up from 9% in 2013 and 2012 studies, indicates that more businesses are not only experiencing an attack aimed at their organization, but also reporting the breach.
CIO Insight: Targeted attacks are respondents' number one security concern. How can organizations better protect themselves against targeted attacks?
As we can see from the survey results, many businesses now recognize that the threat of a targeted attack is very harmful for their organization. As a result, it is critical for businesses of all sizes to make protection of their IT infrastructure their top priority by taking this knowledge of an increase in targeted attacks and turn that insight into action by investing in technology, creating effective security policies, and educating employees about cybersecurity. This is especially true given that damages from one successful targeted attack could cost a company as much as $2.54 million for enterprises and $84,000 for small businesses.
CIO Insight: According to the survey data, the most-critical IT infrastructure management task is centralized software updates. Why is this a challenge for so many companies and what should they be doing differently?
Vulnerabilities found in software are an easy way for cybercriminals to gain access to an organization to perpetrate a targeted attack. The challenge for some organizations is management of these updates. A huge proportion of the risks associated with vulnerabilities will be neutralized if the corporate IT infrastructure includes a solution for administrating corporate personal computers with Patch Management functions. The Patch Management function helps to promptly install critical updates in a centralized system, keeping admins abreast of the condition of software running on any workstation within the company's network.
CIO Insight: The Kaspersky Lab report notes that "security software doesn't mean much without effective security policies." What should companies expect security-wise from their employees in terms of responsibilities and accountability?
Employees play a critical role in the security of their organization. As a result, formal training procedures, including expectation and responsibility setting between the organization and the employees is a must. It’s also very important to establish policies and best practices for defining steps in the event of a security incident. Speed is of the essence in these cases to ensure data theft is prevented. As a result, holding employees accountable to report any security incident helps to prevent a serious attack.
What CIOs Can Do
To avoid being the victim of a costly cyberattack, Kaspersky Lab recommends that organizations evaluate and, if necessary, upgrade their security software in order to promptly patch vulnerabilities, protect themselves against targeted attacks, and more; secure their infrastructure, especially production equipment, trade terminals and other systems that are generally left unprotected against cyberthreats; and enforce companywide security policies that outline an employee's responsibilities and accountability when it comes to protecting company data.
About the Author
Jack Rosenberger is the managing editor of CIO Insight. You can follow him on Twitter via @CIOInsight. To read his previous CIO Insight article, "Inside IT With Tech Visionary Charles Araujo," click here.