One of the problems with surveys and questionnaires is how honest respondents are — or whether they’re too honest.
That came to mind reading a report from professional services firm Accenture released today of a survey of 2,000 security executives in 15 countries around the world. Roughly one in three “focused and targeted breach attempts” succeeded, they said Then, the report adds, 75 per cent said they were confident in their cyber security strategies.
“This dissonance may partially result from attempts to toe the company line, but it reveals a cyber security disconnect,” the report concludes.
But later on there’s another number the report throws in: Two out of three respondents say they lack confidence in their organizations’ abilities to monitor internally for breach activities, that is, for insider threats.
This is confusing.
Then there’s an interesting use of terms. The successful attacks weren’t spray and pray spam, but targeted. Given that more attacks on organizations are random, that might account for infosec pros being relatively confident they’re on the right path.
On the other hand, the report may be right about towing the company line: Who wants to admit, even in an anonymous survey, they don’t have confidence in their strategy? After all, your organization isn’t penetrated every day is it? …
But another way of looking at it is this: Accenture figures on average an organization will face more than a hundred focused and targeted breach attempts every year. If survey respondents say one in three of these will result in a successful security breach, that’s two to three effective attacks per month.
The report throws in two other factors to consider: First, as often reported, that it takes some time before a breach is discovered, meaning the attacker has lots of time to roam around the network; and second — again as often reported — often the breach isn’t discovered by the IT staff but by employees or outsiders (police, security researchers).
So assuming there is a gap between infosec pros’ confidence in their strategies and the reality of several effective attacks a month, how does it get reduced? Accenture recommends tried and true solutions: An end-to-end approach to cyber security that considers threats relevant to the organization, minimizing business exposure and focusing on protecting priority assets.
To start, the report says, organizations need to answer these critical questions in order to re-frame their cyber security perceptions:
• Are you confident that you have identified all priority business data assets and their location?
• Are you able to defend the organization from a motivated adversary?
• Do you have the tools and techniques to react and respond to a targeted attack?
• Do you know what the adversary(s) is (are) really after?
• How often does your organization practice its plan to get better at responses?
• How do these attacks affect your business?
• Do you have the right alignment, structure, team members, and other resources to execute your cybersecurity mission?
“Effective cybersecurity requires organizations to achieve greater maturity and improve its ability to protect the business from devastating losses,” the report concludes. “Organizations that tie cyber security efforts to real business needs will gain justifiable confidence in their ability to deal with cyber threats. “