According to a global study by the consulting firm PwC, many companies today have installed traditional security measures. Also Kaspersky Labs comes in an audit to the conclusion that many companies are not up to date. Kaspersky.
“In other words, most organizations are currently defending themselves against yesterday’s threats while their attackers exploit tomorrow’s vulnerabilities,” said Derk Fischer, PwC’s information security expert.
In the global study, PwC shows that while the risks to information security have changed dramatically. However, corporate security strategies would not keep pace with this development. Thus, companies offer more attack surfaces.
This is the result of the global CyberCrime study ” Defending yesterday “. PwC surveyed more than 9,600 IT and security managers and executives from 115 countries. Also 388 German companies come in the investigation to speak. The study is available for free.
The study shows that highly specialized cybercriminals can bypass so-called perimeter protection mechanisms to perform advanced persistent threats (APTs). On the other hand, companies are processing ever larger volumes of data, and cloud computing or the use of private devices in the enterprise (BYOD) are delivering new attack vectors for the attackers.
On average, according to the study, the number of security incidents in the past 12 months has risen by 25 percent, from 2989 to 3741. According to the estimates of the respondents, hackers are responsible for 32 percent of the attacks, 14 percent suspect competitors behind the attacks on their data, and 12 percent blame organized crime. Only four percent suspect that behind attacks foreign states are.
But although PwC is assuming obsolete security measures, there is a growing willingness to invest in IT security: In 2013, an enterprise spends an average of $ 4.3 million on IT security, about 51 percent more than in 2012. The year saw companies launch about $ 2.8 million.
According to the study, 47 percent of respondents already use cloud computing (SaaS, PaaS, IaaS). And 59 percent of those cloud users say security has improved through the use of these technologies. However, only 18 percent of companies also claim to have improved cloud security with special measures, or have included these in the security policy.
PwC security specialist Fischer concludes: “This shows that new technologies such as cloud computing or the mobile connection of employees are already implemented before they are secured.”
Security vendor Kaspersky Lab , which has partnered with vulnerability management specialist Outpost24 to conduct a security audit of various European companies and public institutions , also refers to the timeliness of threats. However, this shows that many companies do not fix known security leaks. Hackers could do a lot of damage without having to resort to zero-day exploits.
On average, according to the joint investigation, it takes between 60 and 70 days for companies to roll out a patch for a vulnerability. This leaves enough time for hackers to gain access to corporate networks via known security leaks. So-called social engineering methods are popular with attackers. They do not gain direct access to the company’s internal network, but try to manipulate the employees.
Typically, critical security vulnerabilities are eliminated within three months. However, 77 percent of leaks that are not resolved within this time frame can be proven even after more than a year. The security audit even revealed weaknesses in enterprise systems that have not been addressed in the last decade.
“Companies are spending so many valuable resources uncovering potential vulnerabilities of tomorrow. They completely overlook the need to eliminate current and even past security threats, “said Martin Jartelius, Outpost24’s Chief Security Officer. “Companies need to understand that cybercriminals can gain control over large parts of the corporate network, even if they do not use new attack methods. The reason is often lack of safety practices, faulty configured safety devices or insufficiently trained staff. Businesses are good at implementing integrated security solutions and interlinking them closely with their business processes. “
David Jacobi, security expert and co-author of the audit, explains in a blog that most attackers do not rely on the latest technology, but instead use old leaks. “We are strangely inclined to take effective care of new threats while forgetting existing ones.”