July 9, 2014 - An ISACA global study released today shows that one in 5 organizations (21 percent) have experienced an advanced persistent threat (APT) attack, and 66 percent believe it's only a matter of time before their enterprise is hit by an APT. Yet only 15 percent of enterprises believe they are very prepared for an APT attack. And among the companies that have been attacked, only one in three could determine the source.
ISACA, a global association serving 115,000 IT security, risk, assurance and governance professionals, conducted the study of 1,220 security professionals to determine how APTs have evolved from 2013. The 2014 APT study is the first research project released as part of ISACA's new Cybersecurity Nexus.
"APTs are stealthy, relentless and single-minded, and their primary purpose is to extract information such as valuable research, intellectual property or government data," said Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, ISACA's immediate past international president. "In other words, it is absolutely critical for enterprises to prepare for them, and that preparation requires more than the traditional technical controls."
The majority of responding organizations say their primary APT defense is technical controls such as firewalls, access lists and anti-virus, which are critical for defending against traditional treats, but not sufficient for preventing APT attacks. Nearly 40 percent of enterprises report that they are not using user security training and controls to defend against APTs—a critical component of a successful cybersecurity plan. Worse yet, more than 70 percent are not using mobile controls, even though 88 percent of respondents recognize that employees' mobile devices are often the gateway to an APT attack.
While more enterprises report that they are adjusting vendor management practices (23 percent) and incident response plans (56 percent) to address APTs this year, the numbers still need significant improvement.
"The good news is that more enterprises are attempting to better prepare for the APT this year," said Robert Stroud, CGEIT, CRISC, international president of ISACA and a vice president at CA Technologies. "The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them—and more security training is critically needed."
The full APT study report is available online. Additional guidance on APTs will be discussed in more depth in a free ISACA webinar on 30 September, titled Advanced Persistent Threats.
With more than 115,000 constituents in 180 countries, ISACA® (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.