About one-third of targeted attempts to breach corporations’ cyber defenses succeed but three-quarters of executives remain unaccountably confident in their security strategies, Accenture Plc reported Wednesday in a survey of 2,000 security officers representing large enterprises worldwide.
The “alarmingly high” failure rate in defending against attacks is compounded by their “sheer volume,” Accenture said in the report, titled Building Confidence: Facing the Cybersecurity Conundrum.
“On average, an organization will face more than a hundred focused and targeted breach attempts every year, and respondents say one in three of these will result in a successful security breach,” the report’s authors write. “That’s two to three effective attacks per month.”
The survey follows recent high-profile data breaches of Sony Corp., Target Corp., the U.S. Office of Personnel Management, leaks from the e-mail accounts of Democratic Party officials, and a denial of service attack on the servers of Dyn Inc. in October that silenced Twitter Inc. and other major internet companies for several hours.
Each year, businesses spend an estimated $84 billion to defend against data theft that costs them about $2 trillion -- damage that could rise to $90 trillion a year by 2030 if current trends continue, according to a forecast earlier this year by Omar Abbosh, Accenture’s chief strategy officer.
Confidence Lacking
Even though more than half of the survey’s respondents say internal breaches cause the most damage, two-thirds say they lack confidence in their organization’s ability to monitor internal threats and the majority continue to focus on defense against external attackers, the report says.
“Cyberattacks are a constant operational reality across every industry today and our survey reveals that catching criminal behavior requires more than the best practices and perspectives of the past,” Kevin Richards, managing director of Accenture Security, North America, said in a statement accompanying the report. “There needs to be a fundamentally different approach to security protection starting with identifying and prioritizing key company assets across the entire value chain.”
Most respondents said it takes “months” to detect successful breaches and 17% said the attacks were only discovered “within a year” or longer. Ninety-eight percent of breaches were reported by employees outside the security team.
Reboot Needed
“To survive in this contradictory and increasingly risky landscape, organizations need to reboot their approaches to cybersecurity,” the report’s authors write. “Ultimately, many remain unsure of their ability to manage the internal threats with the greatest cybersecurity impact even as they continue to prioritize external initiatives that produce the lowest return on investment.”
There is still too much emphasis on compliance, the authors conclude: “Just as adhering to generally accepted accounting principles does not ensure protection against financial fraud, cybersecurity compliance alone will not protect a company from successful incursions.”
Accenture surveyed 2,000 executives from 12 industries and 15 countries in North and South America, Europe and Asia Pacific.
By Matthew Kalman