A hole in the fence: is there a “partial preparedness” to cyberthreats?

October 17, 2014

Can a business be “partially” prepared to ward off cyberthreats? It’s definitely a subject of debate. Here’s our take:

There is an entertainment media staple: a powerful, very high wall or fence with heavily guarded gates, but with a small hole somewhere away from patrols, watchtowers and spotlights, wide enough for a single person to slip through. We see this in films, video games, comic and books. It’s not always done for comic relief: How else would the hero get into the lair of an evil mastermind plotting to take over the world? Through the hole in the fence, of course.

640

Funny or not, but it’s a textbook theorem that every system is as strong as its weakest point.

We had a debate with a couple of friends recently: Is there such a thing as “partial readiness” in cybersecurity? A student can try to pass an exam knowing two-thirds of the academic course and being clueless about the remaining part. It is even possible that an employer would hire a young IT worker, despite large gaps in their knowledge; say, he or she is great at networks, but has little experience in virtualization.

But partial security is like a unicorn: There’s no such thing. A business may implement an antivirus at every box within its infrastructure, but “suddenly” there is a phishing attack or a fraudulent payment, and things get ugly.

That’s just a theory, but here is the reality: Between April 2013 and May 2014 94% of companies polled for Kaspersky Lab’s Global IT Risk Report have experienced some form of external security threat. However, only 68% have fully implemented anti-malware solutions on their workstations and only 44% employ security solutions for their mobile devices. Only 52% of all businesses surveyed regularly patch or update software – an important task in preventing malware attacks or data breaches.

Well, isn’t that nice? After experiencing a threat, only one-third of more than half of the companies affected did little to protect themselves further. They “partially” upgraded their defenses – plugged a couple of holes leaving a few more wide open.

There’s a lot of misconception and misperception regarding the current threat landscape. The survey above shows 91% of business decision makers underestimate the number of threat samples discovered daily. Just 4% have an accurate idea of the actual number. More to the point, most of us dramatically underestimate this figure, with 70% believing there are less than 10,000 new samples discovered daily. The actual figure, as detected by Kaspersky Lab, is 315,000 new samples. Three hundred and fifteen thousand new malicious programs are intercepted on a daily basis.

wide

Despite underestimating the number of threats, participants in the survey reported a perceived increase in the number of cyber-attacks every year for the last 4 years. This might suggest businesses feel what hits them and the number of attacks keeps growing, but they don’t think (or don’t know or care) about the actual scope. The less you know, the better you sleep. But doesn’t this attitude seem a bit inappropriate for businesses?

Businesses of all sizes have reported rising levels of spam, phishing and DDOS attacks as areas of concern. Corporate espionage and specific, targeted attacks are also on the rise. The number of organizations reporting specific attacks targeting them directly has increased by 5% from 2013, and now stands at 15%.

It doesn’t look like businesses really understand malware is indeed one of the root causes of phishing attacks, DDoS, etc. While there are a number of security measures already being taken, there are still large gaps in IT security systems, regardless of business size. That means the many businesses are only “partially” protected. Essentially, they are “woefully underprepared” for the threats they face – there’s just no real difference between “partially prepared” and “completely unprepared.”

Details of the recent survey are available here.