Survey: Most companies see themselves as APT victims

A new report from Enterprise Strategy Group Research says 93 percent of security professionals they surveyed worry a lot about so-called advanced persistent threats.

Before I go further, I should admit that I’ve been somewhat reluctant to write about APT because I think vendors toss the acronym around in unhelpful ways, just like they’ve done with PCI, DLP, etc. Vendors love acronyms. They can always spin them in a way that applies to their products, but it rarely helps the customer understand exactly what they’re dealing with.

And yet security practitioners tell us all the time that they worry about advanced persistence threats. They’re never sure what it looks like, but they know it’s there in some form.

This report, authored by Jon Oltsik, captures the concern.

Some bullet points:

•Almost 75 percent of corporate respondents believe they may be attacked again.

•Nearly half of well-prepared firms say they are vulnerable to future attacks.

•The biggest threats include foreign governments, organized criminals, competitors, and “political hacktivists.”

•Recommendations include aggregated cybersecurity bills and extension of federal programs and resources.

The report is based on a survey of 244 security professionals working at enterprise of 1,000 or more employees in the United States.

The report gives one of the clearest descriptions of APTs that I’ve seen in awhile:

The term “APT” originated in the U.S. Air Force but came into the security lexicon through its association with a cyber attack known as “Titan Rain” in 2003 where hackers gained access and stole data from organizations like Lockheed Martin, NASA, and Sandia National Labs. Over the past year, APTs have gained notoriety because of well-publicized cyber attacks in public and private sector organizations such as Google (2010 compromise of Gmail) and the Oak Ridge National Laboratory (2011 attempted compromise of systems containing nuclear energy research).

Unfortunately, APTs are not limited to military, intelligence, and high-technology targets but rather are occurring within nearly every industry. According to the report, 59% of the survey respondents are “certain” or “fairly certain” that their organizations have been the target of a previous APT attack. Furthermore, 72% of organizations believe they are a “highly likely” or “somewhat likely” target of future APT attacks.

The research also indicates that many organizations are not adequately protected against future attacks: Nearly one-third of the large organizations surveyed believe that they are vulnerable to future APTs. Another key finding of note is that 46% of large organizations that ESG categorized as “most prepared for APTs” (based upon their existing security policies, procedures, and technical safeguards) say they are vulnerable to future sophisticated attacks.

“Security professionals who understand the threat landscape best readily admit that their organizations are not only under attack but also vulnerable,” Jon Oltsik, senior principal analyst at ESG, said in a press release. “Even more frightening, the companies that have already taken proper steps to secure their assets still believe they are vulnerable to APTs. If those organizations with strong cybersecurity policies are vulnerable to APT attacks, it’s safe to conclude that nearly all organizations are vulnerable.”

I do have one criticism of the analysis: It’s laced with words like “frightening” and “alarming.”

Scaring people about APTs doesn’t help them understand what they should be doing.

It’s an interesting read all the same.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!