Many organisations are unprepared to protect themselves against an emerging, relentless cybersecurity danger that threatens national security and economic stability, according to a new global survey.
Advanced persistent threats (APTs) are not easily deterred, which makes them different from traditional threats, according to global IT association ISACA. But an ISACA survey of more than 1,500 security professionals found that 53% of respondents do not believe APTs differ from traditional threats.
This disconnect indicates that IT professionals and their organisations may not be fully prepared to protect themselves against APTs, according to ISACA.
“APTs are sophisticated, stealthy and unrelenting,” ISACA International Vice President Christos Dimitriadis said in a news release. “Traditional cyberthreats often move right on if they cannot penetrate their initial target. But an APT will continually attempt to penetrate the desired target until it meets its objective – and once it does, it can disguise itself and morph when needed, making it difficult to identify or stop.”
High-profile examples of APTs are thought to include the notorious Google Aurora attack, disclosed in January 2010, and an attack on security, compliance and risk-management provider RSA in 2011. Although APTs are espionage tactics that often are intended to steal intellectual property, according to ISACA, the Google Aurora and RSA attacks show that these threats are not confined to government entities.
Although more than 70% of the IT professionals surveyed said their organisations are able to detect APT attacks, and more than 70% said they are able to respond to APT attacks, their description of controls indicate a misunderstanding and lack of preparation, according to ISACA. Top controls enterprises are using to stop APTs were identified as anti-virus and anti-malware programs (95%), and network perimeter strategies such as firewalls (93%).
But APTs have been known to avoid being detected or deterred by these types of controls. Mobile security controls can be effective but are used much less frequently, according to ISACA. “APTs call for many defensive approaches,” ISACA Director Jo Stewart-Rattray said in a news release.
Those approaches include:
- Awareness training.
- Amending third-party arrangements to ensure vendors are well-protected.
- Implementing technical controls.
An RSA blog on the APT attack it suffered said such threats often target the weakest element in the cybersecurity chain – the humans. An employee in the RSA attack was tricked into retrieving an email from a junk mail folder and opening an attached Excel file.
APT hackers are known to use social media to learn information about employees of organisations. Then they send “spear phishing” emails that may appear legitimate because they are targeted. Ninety per cent of respondents in the ISACA survey said the use of social networking sites increases the likelihood of a successful APT attack.
Educational training was more prevalent as a defence among organisations that believed they were very likely (82%) or likely (74.1%) to become targets of APT attacks. But a majority of organisations appear to be at risk.
Although just 22% of respondents said they had been subject to an APT attack, 63% said it is only a matter of time before their enterprise is targeted by an APT.
“We are only in February, and already we can declare 2013 as the year of the hack,” Tom Kellermann, vice president of cybersecurity for Trend Micro said in the news release. “… Enterprises are under attack, and they don’t even know it.”
“Three IT Challenges to Watch for in 2013”: The global IT governance group ISACA is drawing attention to three trends it says will pose major challenges to businesses in 2013. Cybersecurity threats are growing more sophisticated; interest in private or hybrid clouds, rather than public clouds, is expected to increase; and employees and consumers are growing more concerned.
“Microsoft, HP Report Rise in Cyber-Attacks, Offer Advice on Shoring Up Security”: With the frequency and costs of cyber-attacks on the rise, organisations need to update and upgrade their IT security infrastructure and policies. What do movies and music have to do with that process? The article explores how costly free downloads can be.
“Four Ways to Guard Against Lax Cybersecurity”: Cybercriminals aren’t fooled by your simple passwords. They have found ways to crack the code on company data through public-domain searches, KPMG research shows. One cybersecurity expert offers four tips on keeping up your defences.
Risk and Innovation Spotlight: Browse the latest tools, reports and articles offering tips and best practices for the successful management of risk and innovation.
—Ken Tysiac (firstname.lastname@example.org) is a CGMA Magazine senior editor.