A group of Canadian infosec pros say the number of cyber attacks their organizations faced increased 17 per cent in 2015 over the previous year, according a new survey, with just over half admitting sensitive information had either been lost or exposed.
The study, done for Toronto-based systems integrator Scalar Decisions Inc., was compiled from responses of 654 IT and IT security practitioners in Canada in a wide variety of industries. Almost two thirds work at organizations with between 251 and 5,000 employees. Over 16,000 surveys went out, so the response rate was four per cent.
Respondents reported an average of 40 cyber attacks per year. Fifty-one per cent of respondents experienced an incident involving the loss or exposure of sensitive information within the last twelve months, up from 46 per cent of respondents in 2014.
Reflecting other surveys around the world for the past few years, only 37 per cent of respondents believe they are winning the cyber security war, compared with 41 per cent in the previous survey. Insufficient personnel and lack of in-house expertise were again the primary challenges listed by Canadians surveyed to achieving a strong cyber security posture.
The majority of respondents believe gathering and using threat intelligence is key to winning the cyber security war. Sixty percent of respondents do either fully or partially participate in exchanging threat intelligence with peers, government, and/or industry groups, believing it improves the security posture of their organization, in addition to improving situational awareness
Seventy percent of respondents say exploits and malware have been able to evade their intrusion detection systems (IDS), and 82 per cent of respondents say their organizations experienced situations when cyber attacks have evaded their anti-virus (AV) solutions. Only 38 per cent of respondents say their organizations have systems and controls in place to deal with advanced persistent threats (APTs), adding they see an average of almost one separate APT-related incident per month. IT downtime, business disruption, and theft of personal information are the primary consequences of APTs or zero day threats experienced.
On average, respondents say 25 per cent of employees were targeted by phishing attacks.
Respondents saw an average of five denial of service (DoS) attacks in 2015, or about one every two months. Further, 44 per cent of respondents say their organization experienced a DoS attack that caused a disruption to business operations and/or system downtime.
They also said the cost of business disruptions and system downtimes averaged $1.2 million. Thirty-three percent of respondents say their firm experienced a loss of intellectual property due to cyber attacks within the past 24 months, with 36 per cent of them believing it caused a loss of competitive advantage. The average cost of the loss of this information was just under $6 million
The greatest threats to organizations are Web-borne attacks, with 80 per cent of respondents saying these were the behind the most frequent compromises, followed by rootkits at 65 percent of respondents.
On average, over the last 12 months, respondents said their organizations spent approximately $7 million on the aftermath of an attack. It broke down like this: clean up or remediation ($766,667), lost user productivity ($950,625), disruption to normal operations ($1.1 million), damage or theft of IT assets and infrastructure ($1.6 million), and damage to reputation and marketplace image ($2.6 million).
With organizations reporting an average of 40 attacks, this makes the average cost per attack approximately $175,000.
Cyber security spend has increased slightly. On average, respondents estimate their approximate annual budget for IT is $71 million and an average of 11 per cent of this budget is dedicated to information security. This increased slightly from about 10 per cent in 2014.