Survey: Three Of Four Companies Say They’re 'Likely' To Be Hit By Cyber Attack ... Again

In a survey by the research firm Enterprise Strategies Group (ESG), 59% of respondents said their company has been hit by a cyberattack called an "advanced persistent threat" (APT), and 72% believe they’ll be hit again. The report urges IT security professionals to educate company executives about the risks and urges vendors to develop security architectures offering centralized management and distributed enforcement. Lastly, ESG calls upon the U.S. Congress to aggregate multiple cybersecurity bills, get them passed and "extend federal programs and resources to a wider audience."

"There are number of bills. Most of them are in committee. They stay in committee," says Jon Oltsik, senior principal analyst at ESG and the primary author of the report. "They get voted on in committee, and when the Congress changes over, they start over again. This has been going on for years.”

ESG surveyed 244 IT professionals at enterprises of at least 1,000 employees throughout the United States. It showed that APTs--which had originally targeted military, intelligence and high-technology targets--now threaten all industries. The survey also showed that even the 46% of enterprises that believe they are "most prepared for APTs" based on the security they have in place still consider themselves vulnerable to future, more sophisticated attacks.

Oltsik acknowledges that being under attack by an APT is not the same as being compromised, if the network’s defenses are strong enough to prevent a breach. Network monitoring can identify an APT and respond, but it’s chilling how persistent the attacks are.

"If you have experienced an APT, you are just amazed at how persistent the adversary is, how many vectors they try to attack you through, how they learn the network over time, how they navigate around the network and some of the innovation that they use in their attack patterns," he says. "You may be able to detect these attacks in progress, but these are sophisticated attacks, and the question is, 'What didn’t you see?'"

ESG identified five types of APT attackers: organized criminals; competitors conducting industrial espionage; foreign governments; terrorists; and the newest entry, "hactivists"--people who commit cybercrime for political or ideological reasons.

Sen. Joe Lieberman (I-Conn.) chairs the Senate Committee on Homeland Security and Governmental Affairs and is urging support for The Cybersecurity and Internet Freedom Act of 2011, which is the main piece of cybersecurity legislation pending. The legislation would give the Department of Homeland Security (DHS) authority to work with industry to identify and evaluate the risks to the country’s most critical cyberinfrastructure, such as electrical grids, power plants and pipelines. Operators of those assets would then deploy security measures to protect them. The legislation would provide liability protection for companies that implemented DHS-approved plans.

"This framework would produce cybersecurity best practices that would then be available as a model for the private sector," Lieberman wrote in a Washington Post op-ed piece in July that was co-authored by Sen. Susan Collins (R-Maine), the ranking Republican on the committee, and Sen. Tom Carper (D-Conn.), another panel member.

While Congress has other priorities, the cybersecurity threat shouldn’t be ignored, says Oltsik: "I understand there is almost double-digit unemployment and an election coming up and that there are other issues. But this is something that we've been talking about since 1998 and really haven’t made much progress on."

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Malware War (subscription required).