Small Businesses in Crosshairs of Cyber-Criminals
Businesses are ill-equipped to deal with cyber-attacks and need to invest now in improving their incidence response.

New research shows that CEOs need to put in place robust plans for responding to cyber-attacks or face the consequences.

The Ponemon Institute report, sponsored by Lancope which surveyed 674 IT security professionals, found that CEOs and members of management teams are in the dark about potential cyber-attacks against their companies.

The study "Cyber Security Incident Response: Are we as prepared as we think?" found that 68% of organisations experienced a security breach or incident in the past 24 months, while 46% say that another incident is imminent and could happen within the next six months.


Mike Potts, president and CEO of Lancope, said that headlines from 2013 show that today's enterprises are ill-equipped to identify and halt sophisticated attacks launched by nation-states, malicious outsiders and determined insiders.

"Now is the time for C-level executives and IT decision-makers to come together and develop stronger, more comprehensive plans for incident response. This communication is critical if we want to reduce the astounding frequency of high-profile data breaches and damaging corporate losses we are seeing in the media on a near-daily basis," he said.

The report also found that 80% of respondents do not frequently communicate with executive management about potential cyber attacks against their organisation, and breaches remain unresolved for an entire month on average.


Mark Brown, director of risk advisory at EY, said: "Any sector that deals with intellectual or valuable property will be targeted, so it becomes an economic rather than cyber battle and, if this is the case, a security manager can protect for a tenth of the cost.

"As boardrooms take notice, we see demand for security auditors and this has increased in the last 12 months and this is going one way, as there are too few people."

The Lancope report also found that organisations are not measuring the effectiveness of their incident response efforts, as 50% of the respondents said that they did not have meaningful operational metrics to measure the overall effectiveness of incident response.

It also found that while most organisations could identify a security incident within a matter of hours, it takes an entire month on average to work through the process of incident investigation, service restoration and verification.

Bottom line

The 2013 Verizon Data Breach Investigation Report said that 62% of events can take "months" to discover, while a compromise is often spotted in a matter of hours.

Wade Baker, principal author of the Verizon Report, said: "The bottom line is that unfortunately, no organisation is immune to a data breach in this day and age. We have the tools today to combat cyber crime, but it's really all about selecting the right ones and using them in the right way."

The Lancope and Ponemon study also found that half of all respondents say that less than 10% of their security budgets are used for incident response activities, while the majority said that their incident response budgets have not increased in the past 24 months.

TK Keanini, CTO of Lancope, said: "While incident response is what this has been labeled, at the business level where executive and board level conversations are taking place, this is an issue of business continuity. Give any VP or executive the choice between catching the bad guy and business continuity when a cyber event occurs, and I'll bet the latter wins every time."

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute and author of the report, said: "The findings of our research suggest that companies are not always making the right investments in incident response. As a result, they may not be as prepared as they should be to respond to security incidents. One recommendation is for organizations to elevate the importance of incident response and make it a critical component of their overall business strategy."

Dan Raywood is editor of IT Security Guru.

IT Security Guru