Majority of Mid-to-Large U.S.-based Corporations Believe They Have Been the Targets of Sophisticated Cyber Attacks Seeking

November 1, 2011

Tools

Enterprise Strategy Group Research Reveals That 93% of Security Professionals Concerned That Advanced Persistent Threats Pose Unique, Major Threat to U.S. Vital Interests

Almost 75% of corporate respondents believe they may be attacked again.
Nearly 50% of well prepared firms say they are vulnerable to future attacks.
Biggest threats include foreign governments, organized criminals, competitors, and “political hacktivists.”
Recommendations include aggregated cybersecurity bills and extension of federal programs, resources.

MILFORD, Mass.--(BUSINESS WIRE)-- The Enterprise Strategy Group, a leading IT analyst and consulting organization, today announced the availability of a new research report titled U.S. Advanced Persistent Threat Analysis. The report is based upon data gathered from a survey of 244 security professionals working at enterprise (i.e., more than 1,000 employees) organizations in the United States.

Advanced Persistent Threats (APTs) are a type of sophisticated cyber attack used by hackers to steal sensitive data. The term “APT” originated in the U.S. Air Force but came into the security lexicon through its association with a cyber attack known as “Titan Rain” in 2003 where hackers gained access and stole data from organizations like Lockheed Martin, NASA, and Sandia National Labs. Over the past year, APTs have gained notoriety because of well-publicized cyber attacks in public and private sector organizations such as Google (2010 compromise of Gmail) and the Oak Ridge National Laboratory (2011 attempted compromise of systems containing nuclear energy research).

Unfortunately, APTs are not limited to military, intelligence, and high-technology targets but rather are occurring within nearly every industry. According to the report, 59% of the survey respondents are “certain” or “fairly certain” that their organizations have been the target of a previous APT attack. Furthermore, 72% of organizations believe they are a “highly likely” or “somewhat likely” target of future APT attacks. The research also indicates that many organizations are not adequately protected against future attacks: Nearly one-third of the large organizations surveyed believe that they are vulnerable to future APTs. Another key finding of note is that 46% of large organizations that ESG categorized as “most prepared for APTs” (based upon their existing security policies, procedures, and technical safeguards) say they are vulnerable to future sophisticated attacks.

Respondents said they believed the following groups (in order of significance) posed the greatest security threat to their organizations: Political "hacktivists" (i.e., organizations that use computer hacking as a form of protest or civil disobedience), organized criminals, competitors conducting industrial espionage, foreign governments, and terrorists.

“Security professionals who understand the threat landscape best readily admit that their organizations are not only under attack but also vulnerable,” said Jon Oltsik, senior principal analyst at ESG and the primary author of the report. “Even more frightening, the companies that have already taken proper steps to secure their assets still believe they are vulnerable to APTs. If those organizations with strong cybersecurity policies are vulnerable to APT attacks, it’s safe to conclude that nearly all organizations are vulnerable.”

The report presents other alarming data. For example, 93% of security professionals working at enterprise organizations are either “extremely concerned” or “concerned” about APTs and the impact that APT attacks could have on vital U.S. interests such as national security and the economy.

Recommendations

Overall, the data presented in this ESG research report indicates that large U.S.-based organizations may not be adequately prepared for a persistent APT onslaught. Given this situation, the report offers a number of recommendations. IT professionals are advised to educate executive managers about APT risks, assess their existing security defenses, and bolster security analysis and forensic skills. Technology vendors should create comprehensive security architectures offering centralized management and distributed enforcement. Finally, the U.S. Congress must aggregate cybersecurity bills and extend federal programs and resources to a wider audience.

Oltsik added, “Security professionals have the most knowledge about and experience with APTs. This group believes that APTs are real, unique, and extremely dangerous. It is imperative that business executives, IT managers, law enforcement officials, and legislators recognize the risks, accept this warning, understand what’s at stake, and begin to address cybersecurity weaknesses as soon as possible. The longer we delay, the more damage we will likely incur.”

The report is available to current ESG clients and is available for purchase by contacting clientrelations@esg-global.com. The report abstract is available at no cost to all at www.esg-global.com.

About Enterprise Strategy Group

Enterprise Strategy Group (ESG) is an integrated, full-service IT analyst and business strategy firm, world-renowned for forward-looking market intelligence, analysis, and consulting services that deliver proven, measurable results. Recognized as one of the world’s top 10 analyst firms by offering a unique blend of capabilities—including world-class market research, hands-on technical product testing, and expert consulting methodologies such as the ESG Strategy Lifecycle—ESG is relied upon by IT professionals, technology vendors, institutional investors, and the media for actionable IT and business intelligence.

For more information visit: www.esg-global.com.