A new security survey from Accenture has found that, in the past twelve months, roughly one in three targeted cyber attacks resulted in an actual security breach, which equates to two to three effective attacks per month for the average company. Still, a majority of security executives (75 percent) surveyed are confident in their ability to protect their enterprises from cyberattacks.
For the survey report ‘Building Confidence: Facing the Cybersecurity Conundrum,’ Accenture surveyed 2,000 enterprise security practitioners representing companies with annual revenues of $1 billion or more in 15 countries about their perceptions of cyber risks, the effectiveness of current security efforts and the adequacy of existing investments. The survey reveals that the length of time taken to detect security breaches often compounds the problem, as more than half of executives (51 percent) disclose that it takes months to detect sophisticated breaches, and as many as a third of all successful breaches are not discovered at all by the security team.
Other key findings included:
- While survey respondents say internal breaches have the greatest impact, 58 percent prioritize heightened capabilities in perimeter-based controls instead of pivoting to address high-impact internal threats.
- Research findings further show that most companies do not have effective technology in place to monitor for cyberattacks and are focused on risks and outcomes that have not kept pace with the threat.
- Only slightly more than one-third (37percent) of respondents say they are confident in their ability to perform the essential activity of monitoring for breaches and only a similar number (36 percent) say the same about minimizing disruptions.
Getting smarter about security spending
Recent high-profile cyberattacks have driven significant increases in cybersecurity awareness and spending. Yet, the sentiment among those surveyed suggests organizations will continue to pursue the same countermeasures instead of investing in new and different security controls to mitigate threats.
- For example, given extra budget, 44 percent to 54 percent of respondents would ‘double down’ on their current cybersecurity spending priorities – even though those investments have not significantly deterred regular and ongoing breaches.
- These priorities include protecting the company’s reputation (54 percent), safeguarding company information (47 percent), and protecting customer data (44 percent).
- Far fewer companies would invest the extra funds in efforts that would directly affect their bottom line, such as mitigating against financial losses (28 percent) or investing in cybersecurity training (17 percent).
Key country highlights from the report include:
- Overall, it takes longer to spot a breach in the US and the UK with over a quarter of organizations taking a year or more to detect a successful attack. (30 percent in the US; 26 percent in the UK).
- Organizations in France, Australia and the US are the least confident in their ability to monitor for a breach compared to the global average.
- Organizations in Germany (52 percent) and the UK (50 percent) are the most confident in monitoring for breaches compared to the global average (38 percent).
- Organizations in France spend the most (9.4 percent) of their total IT budget on cybersecurity compared to the global average of 8.2 percent.
- Organizations in Australia and the US spend the lowest amount on cybersecurity, as a percent of their total IT budget. (8 percent in the US; 7.6 percent in Australia).