• Reputational, financial costs seen as worst consequences of APTs
• IT execs perceive competitors as the main interested parties that could target their organisations
• Most companies have an incident response plan for advanced persistent threats, but underestimate the complexity of targeted attacks
Almost half (49 percent) of IT security decision makers in the UK say their companies could ‘definitely’ be a target of cyberespionage campaigns using advanced persistent threats (APTs). These complex cyber tools are crafted for high-profile entities and operate by silently gathering sensitive data over long periods. Another 47 percent of respondents say their IT infrastructure could ‘possibly’ be targeted in high-level cyberespionage actions that exfiltrate intelligence systematically.
A small minority are not concerned with APTs
In the past year, top corporations suffered an increase in security incidents and breaches, with a significant rise in documented APTs and targeted attacks aiming at both companies and government entities (such as APT 28 and Netrepser). In fact, less than 4 percent of IT decision makers say APTs are not a real concern in their working environment. Concerns for security are rising, with decisions taken at the board level in most companies. Both IT C-suite decision makers and boards are increasingly concerned about security, not only due to the cost of a breach, but also because the companies’ future is at stake when the most valuable data is exposed to interested attackers.
These findings are revealed in a survey released today by security firm Bitdefender. The study explores, in detail, the pressures APTs place on 1,051 IT security professionals from large enterprises with 1,000+ PCs and data centers, based in the US, the UK, France, Italy, Sweden, Denmark, and Germany.
The risks aren’t always visible, but they are ever present
Surprisingly, most IT decision makers say it would take a few weeks to a month to detect an APT, but a third say they would need up to a year to uncover modern sophisticated threats. This might show many surveyed IT execs fear but underestimate the potential complexity of these threats.
“Cyberattacks can go undetected for months and, in most cases, breaches stem from zero-days and kernel-level malware,” Bitdefender’s Senior eThreat Analyst Liviu Arsene says. “This is precisely what APTs turn to, because it keeps them from being detected. Kernel exploits and rootkits can evade traditional endpoint security solutions to gain full control over the operating system.”
Most advanced persistent threats are not limited to state-sponsored attacks, as enterprises can also fall victim to attackers that exploit zero-day vulnerabilities to install highly targeted malware to spy on companies and steal intellectual property. Bitdefender’s survey confirms that CISOs perceive competitors as the main interested party that would target their organisations for industrial espionage (52 percent). Hacktivist entities and foreign state-sponsored attackers come second and third, with 51 percent and 50 percent, respectively.
The risks are real, and businesses need to mitigate risks
78 percent of IT security decision makers in the UK reveal reputational damage to their businesses tops the list of the worst consequences they could face if an APT attacker accesses the ‘crown jewels’. Financial costs come second (73 percent), followed by bankruptcy (31 percent). Darker risks even include war or cyber conflicts (23 percent), and the loss of life (16 percent).
Companies mostly fear losing information about their customers (53 percent), followed by financial information (49 percent), intellectual property (37 percent), research about new products (30 percent), information about certain employees (27 percent), product info and specifications (25 percent), and research about the competition (14 percent), said respondents.
A previous study by Bitdefender revealed that companies in the UK would pay an average of £82,000 to avoid public shaming scandals after a breach. Some 5 percent would pay more than £500,000.
As a result, 80 percent of boards of directors address cybersecurity as a serious risk management issue with severe reputation and financial consequences, while only 14 percent haven’t done it so far. Most organisations (55 percent) have an incident response and disaster recovery plan in place in case of an APT attack or massive breach, and 39 percent admit they have started developing such a strategy, currently as a work in progress. Less than 5 percent lack these types of procedures.
Layered security stacks are the way forward
70 percent of UK execs surveyed perceive layered defense, a mix of multiple security policies and tools designed to fight modern threats and penetrations, as the best defense against advanced persistent threats. Security audits, next-gen solutions, traditional security, and log monitoring have been also mentioned by more than a third of the respondents.
The survey, conducted in April-May 2017 by Censuswide for Bitdefender, included 1,051 IT security purchase professionals from large enterprises with 1,000+ PCs and data centers, based in the US, the UK, France, Italy, Sweden, Denmark, and Germany.