While IT security spending is increasing, confidence is falling. In surveying more than 800 security decision makers and practitioners, the CyberEdge Group found that more than 70 percent of respondents’ networks had been breached in 2014 — up from 62 percent in 2013 — with more than 20 percent breached six times or more.
For the first time, a majority of respondents (52 percent) now believe a successful cyber attack is likely in the coming year — up from 39 percent in last year’s report.
Key findings include:
No shortage of cyberthreat challenges. In 2014, 71 percent of respondents’ networks were breached with 22 percent of them victimized six or more times. This is a significant increase from the preceding year, which saw 62 percent of respondents’ networks breached, with 16 percent of them victimized by six or more successful cyber attacks.
Waking up to a new reality. A majority (52 percent) of respondents felt that a successful cyber attack against their network was likely in the next 12 months, compared to just 39 percent in 2013.
Phishing, malware, and zero-days top of mind. Of 10 designated categories of cyberthreats, phishing/spear-phishing, malware, and zero-day attacks are perceived as posing the greatest risk to responding organizations. Denial of service attacks, watering hole attacks, and drive-by downloads are of least concern.
Security spending continues to rise. Survey results indicate that 62 percent of respondents expect their security budgets to increase this year, up from 48 percent last year. Respondents also indicate that, on average, 6-10 percent of their organizations’ IT budgets are spent on security, with one in five organizations spending 16 percent or more.
Enterprise mobility management holds firm. For the second straight year, mobile device and application management (MDM/MAM) is the top mobile security solution respondents plan to implement in the next 12 months. This is no surprise as nearly six in 10 participants saw a rise in mobile device threats in the preceding 12 months.
Security analytics in top demand. Security analytics / full-packet capture and analysis is the most commonly cited network security technology planned for future acquisition, followed by threat intelligence services and next-generation firewalls.
Fed up with inadequate endpoint defenses. A whopping 67 percent indicated their intent to evaluate alternative endpoint anti-malware solutions to either augment (34 percent) or replace (33 percent) their existing endpoint products. This number is markedly up from 56 percent in last year’s survey.
Continuous monitoring now mainstream. Half of those surveyed rely on continuous monitoring technologies for discovering network assets, achieving policy compliance, and mitigating vulnerabilities and security misconfigurations. This is a positive trend for the industry, as only 38 percent of respondents conduct full-network scans more often than quarterly.
“Cyberthreats hit an all time high in 2014, in terms of not only the number of breaches but their impact on all aspects of business. Who would have thought that we would see a time when a simple movie would spur attacks that forced an entire industry to publicly address the way it thinks about privacy, piracy, and geopolitical implications of the product it produces,” said Steve Piper, CEO of CyberEdge Group. “For the first time in our research, a majority of participants predict their networks will become compromised in 2015. These are indeed dangerous times, but there is still cause for optimism as organizations take active steps to prepare for the unexpected. Welcome to the new reality.”
“It’s no surprise that security analytics is the most commonly cited network security technology planned for acquisition in this year’s report,” said Hugh Thompson, CTO of Blue Coat Systems. “This technology, coupled with SSL visibility and malware analysis capabilities, is reducing the time and effort needed to detect and eliminate sophisticated threats. Organizations are realizing that being prepared for advanced threats is the key to quick resolution and risk mitigation.”