Even though takeover of privileged accounts is recognised as being by far the most difficult type of attack to deal with, more than half of IT-security and C-level executives believe they can detect a security breach within days and nearly half believe they can stop attackers from breaking into their network altogether.
The figures, contained in CyberArk's new Global Advanced Threat Landscape Survey 2015, suggest that business executives are confident in their security protections – and that technology executives lack confidence in their business leadership, with 43 percent saying they don't believe their CEO and board of directors are providing sound leadership on organisational security strategy.
The findings reflect broad concerns that many executives are overconfident about their security posture – particularly their ability to detect breaches, with many latent malware infections running for months on end before being detected.
Earlier this year, an Osterman Research survey found that 37 percent of respondents said it would take hours to detect a breach, 21 percent said it would take days, and 17 percent said it could take weeks or longer.
These results mirrored those of the new CyberArk analysis, in which 25 percent of executives claimed they could pick a breach within hours, 19 percent within days, and 15 percent within weeks.
Yet both sets of figures are at odds with repeated industry studies that suggest malware is lingering much longer, on average, before it is detected. A 2012 Trustwave study found that malware had an average of 173.5 days to explore the network before being detected. A 2014 Mandiant survey pegged the delay at 229 days, while a 2015 IBM-Ponemon Institute report said it takes 256 days on average to even detect that a breach has occurred.
Even as the delay to detection increases over time, the CyberArk analysis looked at the sources for the breaches – and found that fully 48 percent of CSOs blamed poor employee security habits for security breaches.
This is a counterproductive approach that, CyberArk's analysis warns, is past its time. “Organisations should accept that the security battle has shifted to inside the enterprise network,” the report advises.
“Attackers will always find a way past the perimeter. Security strategies must assume this and focus on limiting attacker movement once they infect an endpoint or trick an employee into clicking a malicious link.”
Some 29 percent believe the sophistication of cyber attacks was the leading factor in most data breaches – which reflects the 70 percent of respondents who said they were executives were concerned about phishing attacks and 72 percent about password hijacking.
Organisational issues were also blamed by some, with 12 percent blaming insufficient security budgets for breaches and 10 percent blamed the lack of CEO or board involvement in infosec strategies.
“Organisations still maintain the belief that they can keep attackers off of their networks with the right security strategy,” the CyberArk analysis notes on the back of the 56 percent of respondents who said they believe they could prevent attacks.
Yet with 56 percent admitting breaches were inevitable, the figures reinforced the need for a broader acceptance of the reality of today's threat profile.
“C-level executives and Boards of Directors can no longer simply state that ‘attacks are too sophisticated’ or ‘employees are to blame for security lapses',” the CyberArk analysis notes. “This needs to be accounted for in a holistic security strategy that assumes motivated attackers will always find a way to breach a network.”
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here.