Organisations not ready for APTs says ISACA
ISACA survey shows awareness of APTs, but many IT departments are not well prepared to tackle them
There is growing familiarity with advanced persistent threats among IT security professionals, but many organisations are still not adequately prepared to deal with them, according to a survey by ISACA.
One in five of the organisations surveyed said they had been targeted by APT, but only 60% think they are prepared to deal with APTs. Fifteen percent felt they were ‘very prepared' with a documented and tested plan in place for APTs.
The global survey, now in its second year, canvassed 1,200 Certified Information Security Managers (CISMs) and other information security professionals across 20 industry sectors. Almost all of the respondents said they were somewhat familiar with APTs, and two-thirds expected their organisation to be targeted by APT at some point in time.
Loss of personally identifiable information regarding employees or customers was ranked as the highest risk at 27% percent followed by loss of enterprise intellectual property, at 24%.
"APTs are stealthy, relentless and single-minded, and their primary purpose is to extract information such as valuable research, intellectual property or government data," said Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, ISACA's immediate past international president. "In other words, it is absolutely critical for enterprises to prepare for them, and that preparation requires more than the traditional technical controls."
Nearly 40% of enterprises report that they are not using user security training and controls to defend against APTs-a critical component of a successful cybersecurity plan. Worse yet, more than 70% are not using mobile controls, even though 88% of respondents recognise that employees' mobile devices are often the gateway to an APT attack. Firewalls, access lists and anti-virus applications were cited as the most common forms of defence. Only one third have increased awareness training related to APTs.
"The good news is that more enterprises are attempting to better prepare for the APT this year," said Robert Stroud, CGEIT, CRISC, international president of ISACA and a vice president at CA Technologies. "The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them-and more security training is critically needed."