Cyber-attacks are escalating in sophistication, with an accompanying increase in success rates. A new ISACA global study shows that one in five organizations (21%) have experienced an advanced persistent threat (APT) attack, and 66% believe it’s only a matter of time before their enterprise is hit by an APT.
“APTs are stealthy, relentless and single-minded, and their primary purpose is to extract information such as valuable research, intellectual property or government data,” said Tony Hayes, ISACA’s immediate past international president, in a statement. “In other words, it is absolutely critical for enterprises to prepare for them, and that preparation requires more than the traditional technical controls.”
Yet, echoing other research that shows a big gap between awareness and preparedness, only 15% of enterprises believe they are “very prepared” for an APT attack, defined as having a documented and tested plan in place for APTs. Half (50%) responded that they are “prepared,” which signified having an incident management plan, although it does not specifically cover APTs. This leaves 35% percent of respondents not confident that they are prepared to deal with an event triggered by this class of threat.
In addition, among the companies that have been attacked, only one in three could determine the source.
Overall, more than 74% of respondents believe they are ready to respond to APT attacks; this represents a 9% increase over last year’s data. But the majority of responding organizations say their primary APT defense is technical controls such as firewalls, access lists and anti-virus, which are critical for defending against traditional treats, but not sufficient for preventing APT attacks.
This is particularly problematic as APT tactics shift. In 2012, APTs relied heavily on spear-phishing attempts, which often included an attachment or a link that contained malware or an exploit that would ultimately make an APT possible. However, ISACA points out that many APTs now leverage the web as the main attack vector. Watering hole attacks have increased in frequency and often use a browser-based zero-day attack.
In all cases, user awareness is a first line of defense against APTs. But nearly 40% of enterprises report that they are not using user security training and controls to defend against APTs – a critical component of a successful cybersecurity plan. Worse yet, more than 70% are not using mobile controls, even though 88% of respondents recognize that employees’ mobile devices and the BYOD phenomenon are often the gateway to an APT attack.
While more enterprises report that they are adjusting vendor management practices (23%) and incident response plans (56%) to address APTs this year, the numbers still need significant improvement.
“The good news is that more enterprises are attempting to better prepare for the APT this year,” said Robert Stroud, international president of ISACA and a vice president at CA Technologies. “The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them – and more security training is critically needed.”