Alarming results have been announced following a recent survey conducted by the Ponemon Research Institute and Juniper Networks. In their survey, 583 American companies were interviewed on security related questions. The result seems to correlate with what we have been seeing in the media during the past year; hackers are nearly always successful in their endeavours to break into your company website, and stopping them is no easy task.
The headline figure shows that 90% of companies suffered a computer hack in the past 12 months alone. More often than not, companies are actually suffering from multiple successful attacks from hackers. 77% of the companies that were successfully attacked were actually hacked multiple times. The bar chart below summarises these results.
The respondents reported having a very low confidence in their ability to prevent attacks. Many believe they simply aren’t prepared. 53% also believe they will experience an attack in the next 12 months.
Breaches are also affecting the companies’ bottom lines in a big way. Of all the attacks reported, 41% claimed at least half a million U.S. dollars ($500,000) in damages. It may be even higher, as around a sixth couldn’t determine their losses.
Who Attacked and Where
Most breaches (28%) were determined to have occurred at off-site locations, however 27% of respondents were willing to blame 3rd party business partners. Perhaps unsurprisingly, 40% could not conclusively determine the source of the attacks.
Companies reported that they viewed their employees’ laptops as the most common attack vector (34%), this was followed by employees’ mobile devices (29% - smartphones, tablets). It is unfortunate that the top two most common perceived attack vectors are from the employees themselves.
Company websites are the most vulnerable target as they are accessible by hackers from all over the world and normally contain sensitive customer data. Attacks on websites are very often done using classic SQL Injection attacks and Cross Site Scripting (XSS) vulnerabilities.
What are the greatest barriers to implementing an effective network security strategy? Almost half (48%) of the companies surveyed said that they found security procedures too complex to implement. Another 48% of companies also mentioned a shortage in resources. This suggests a strong correlation. Companies are finding security procedures and practices too complex and thus expensive to implement.
An overwhelming majority (76%) believe that they would be more effective and secure with a simplified and streamlined network security operation. Perhaps the complexity of networks is here to stay and this gives even more reason for companies to invest in good software that can test their networks and websites for common vulnerabilities.
Vulnerability scanners are becoming an increasingly effective way for companies to quickly and continuously detect the ‘low hanging fruit’ and take corrective measures. Some high-end tools also help customers investigate more complex and hard to find vulnerabilities in their websites.
Increase in Attacks
The last 12 - 18 months has seen an increase in the severity of the attacks. 77% of companies reported that they were now losing more money and assets with every attack. To make the problem worse, 78% also said that the frequency of attacks was also on the increase.
Companies reviewed the breaches that took place and stated that the top two most serious threats were determined to be web-based attacks and SQL injection attacks. Around a third voted hacking as one of the most serious security threats.
As for the consequences of the attacks, companies found that theft of information and business disruptions were the most serious results of a hack. With so much money being lost in breaches, companies need to invest more money into preventative security measures.
Companies can improve their ability to prevent or contain attacks by attaining a better understanding of the technologies, and making better use of security technologies. Understanding the source of the attacks goes a long way to improving security. Companies can address the insider threat by creating a comprehensive, end-to-end security policy.
In today’s environment, having one’s systems hacked is a near-statistical certainty. Chances are that companies are being hacked more than once. According to the statistics in the survey, each successful attack averages 500,000 American dollars. With these sorts of numbers, the new ROI on security testing is asking if your business will still exist in a year from now?