Most IT and information security leaders are aware of the risk and high cost of external internet cyberattacks, but only a small percentage believe their business is equipped to handle them, according to a study released July 19 by the Ponemon Institute.
The study, sponsored by BrandProtect, aimed to uncover the ability of organizations to address cyberattacks taking place outside their traditional security boundaries. External threats are defined in the study as those which lie outside a company's firewalls and primarily leverage digital channels, such as social media, email, and mobile apps.
The study, Security Beyond The Traditional Perimeter, is based on a Ponemon Institute survey of 591 IT professionals and IT security practitioners working at 505 enterprises in the US. The vast majority of respondents (79%) said security processes for internet and social media monitoring are non-existent, partially deployed, or inconsistently deployed.
This is a major risk, and an expensive one. The 505 organizations included in the study experienced an average of more than one cyberattack each month, and spent an average of $3.5 million to deal with each attack.
Even for a large organization, $3.5 million is significant, said Larry Ponemon, president of the Ponemon Institute, in an interview with InformationWeek.
The study discovered an average of 30% of external attacks were conducted over the internet or through social media. Most companies are not consistently monitoring these threats, and most are not doing what's necessary to ensure high-level security, Ponemon said.
"The protection of intellectual property from external threats is considered important to the sustainability of the company," he said. "The information that could lead to reputational damage could be catastrophic in cases."
When asked which external threats worry their organizations the most, 51% of respondents cited reputational damage. Forty percent of respondents also said they worried about branded exploits, and 33% said they were concerned about compliance and regulatory problems related to these threats.
While monitoring the internet and social media was seen by most respondents as critical to ganing intelligence about external threats, only 17% of respondents said their organizations consistently apply a formal process to do so. More than a third of respondents (38%) said their companies do not monitor the internet or social media to determine external threats their companies face. Another 23% identified their process or approach as informal or ad hoc, while 18% said they have a formal process in place but it is not applied consistently throughout the enterprise. Another 4% of respondents said they could not determine how their companies monitor internet and social media for potential threats.
So, what are companies monitoring, exactly?
When asked to identify the most important monitoring activities to achieve a strong security posture, 62% of respondents cited monitoring mobile apps, 61% cited monitoring social engineering and organizational reconnaissance, and 59% cited branded exploits. Other priorities cited were monitoring for spear-phishing infrastructure (58% of respondents), and monitoring executive and high-value targets (54% of respondents).
However, the ability to stay current on these technologies is lacking at many of the organizations surveyed. More than 80% of respondents believe their businesses are ineffective at monitoring social media and the internet.
"The study highlights a gap in defenses against threats that have proven to be extremely effective for cyber criminals and costly for employees," said Ponemon in a prepared statement.
Whose Job Is It?
While CIOs and Chief Information Security Officers are cited in the study as being responsible for directing efforts to minimize exposure to business risk stemming from threats on the network or at the security perimeter, the same is not true of external threats. Responsibility for external threats is most often given to the lines of business, or else no one person in the company is responsible, according to the study.
When asked how involved their company's security leader is in the collection and evaluation of intelligence gained from the internet and social media, only 12% of respondents said such executives were "very involved." Another 24% said their security leader has "some involvement" in the process.
Security leaders surveyed plan to address these shortcomings. Over the next two years, respondents said they plan to increase firewall monitoring in-house, and launch both in-house and outsourced initiatives to drive internal network monitoring.
Outside their security perimeters, companies plan to increase cyber threat monitoring, anti-phishing, social media monitoring, and external domain monitoring through both in-house projects and outsourcing.
Organizations will be consistently challenged to stay current on social media, an ever-changing landscape of new apps and websites. In our interview, Ponemon noted how, without the right tools and right insight, it's almost impossible to keep up.
The key will be in raising organizational awareness and becoming conscious of emerging technologies, he said, as new social sites can contain harmful information and lead to corporate identity theft. There is a possibility it will get a lot worse before it gets better.