An alarmingly large number, about 71 percent, of security professionals think their companies are “not equipped to protect itself against cyber attacks,” according to a study by Narus Inc., a firm which provides security and traffic management software solutions.
“Decision makers or security managers don’t believe they have adequate controls,” said Mike Lee, senior product marketing manager for Websense, an Internet security firm. “It’s a pretty common theme among most of the customers that we talk to. The fundamental reason for this is that a lot of companies have invested today in very basic security controls that protect against sort of very low level, static, known threats. By and large, the landscape has changed significantly and is much more complex than the sort of very static solutions they are prepared to deal with.”
According to the Narus survey, in the past two years 96 percent of security professionals have seen a growing sophistication in cyber attacks, and “many of the newer sophisticated attacks are non signature based or of the nature of advanced persistent.”
Lee explains that advanced persistent threats are very complex threats, often used by either a very well funded criminal organization or nation states, to go after specific organizations with custom designed attacks.
“These threats use multiple attack vectors, that very often target zero day vulnerabilities and that take place over a long period of time,” he added.
“Zero day vulnerabilities” are by definition not covered under existing anti-virus solutions. As most companies only rely on baseline protections like anti-viruses they fall victim to such attacks easily.
Another misplaced notion, which has hampered adoption of security controls by businesses, is the expectation that service providers should provide this protection.
Almost 74 percent of professionals feel this way due to “resource constraints” faced by their organizations and “scarcity of skill sets for security analysts,” according to the Narus survey.
However, Lee argues that a growing number of cyber threats are custom designed and there is no generic technology that a service provider can provide to protect an organization against such an attack.
“They are much better set up to provide baseline controls for mainstream threats,” he added.
The data breach at Epsilon, which exposed personal information of millions of customers, fits the description of an advanced persistent attack, according to Lee. Another example of a high profile cyber attack was the one against Sony, which compromised credit card numbers of customers and resulted in financial damages of more than $171 million.
But it’s not only big businesses that are at risk. FCC warns that small businesses are increasingly becoming targets of cyber attacks.
“American small businesses lose billions to cyber attacks annually and 74 percent of small and medium businesses report being affected by cyber attacks in the past 12 months. The average cost of these attacks for business, per incident, was $188,242,” according to a press release by the FCC.
During a conference organized by the FCC, Maurice Jones, CEO of Parkinson construction company, said cyber criminals stole $92 000 from his company accounts.
“This is a real problem for small business owners and unfortunately, I learned the hard way,” said Jones at the conference, according to the FCC press release. “But there are relatively simple strategies and steps that small business owners can take to protect their profits – and their customers.”
FCC released a cyber security tip sheet for small businesses that includes such basic protections as providing firewall security for your internet connection; installing, using and regularly updating antivirus and antispyware software; limiting employee access to data and information; and training employees in security principles.
However, Lee argues that businesses should also focus on more sophisticated protections.
Lee’s three-pronged solution for businesses revolves around “implementing solutions that don’t rely on known attack signatures”, “incorporating data and data protection as part of the attack prevention mix” and “getting various pieces of security infrastructure to work together.”