1 in 6 Say Their Organization Had At Least 5 Significant Security Incidents in Past Year: Survey

A new report from ForeScout Technologies described a challenging world for IT security – one where one in six IT pros say their organization has had five or more significant security incidents in the past year.

The research, titled the ‘2014 Cyber Defense Maturity Report’, was conducted by IDG Connect and features responses from 1,600 IT information security decision makers in organizations with more than 500 employees across five industries in the U.S. and Europe. 

“The findings provide a useful snapshot of the state of exposures, controls and investment across global regions and industries,” said Scott Gordon, chief marketing officer at ForeScout, in a statement.

Ninety-six percent of the 1,600 respondents said their organizations had at least one significant security event in the last 12 months, while 39 percent said there had been two or more. Though the majority of those surveyed said they were aware that some of their security measures were immature or ineffective, just 33 percent had high confidence their organizations would improve those controls.

“The top five sources of compromise recorded by survey respondents were phishing attacks, compliance policy violations, unsanctioned device use, unsanctioned application use and [unauthorized] data access, with as much as 25 percent of organizations across all vertical sectors experiencing five or more instances of phishing specifically in the past 12 months,” according to the report (PDF).

“Aggregated across all three regions [the US, UK and the DACH region comprised of Germany, Austria and Switzerland], the finance sector recorded marginally higher numbers of phishing attacks, compliance policy violations, instances of unsanctioned application use and data leakage than the other industries, with manufacturing seeing more breaches caused by unauthorized data access, unknown devices and zero day malware,” the report notes. “The healthcare industry appears least affected by both phishing and targeted attacks but slightly more open to unsanctioned device use and data leakage issues.”

According to the report, malware and advanced persistent threat (APT) attacks were rated as a top priority across all industries and regions, yet it appears that there is lower likelihood of investing further resources to reduce perimeter threats. Forty percent said that security management tasks are more challenging now than two years ago; specifically in regards to diagnosing, preventing, identifying and remediating issues.

Those in the education and manufacturing sectors were least confident (73% and 71% either not or somewhat confident) that security measures relating to personal mobile device usage would be improved by their organizations.

“A large majority of organizations believe that the Bring Your Own Device (BYOD) trend which sees employees expecting to use their own smartphones, tablets and other devices to access company networks and systems has an impact on their existing governance, risk and compliance (GRC) controls,” according to the report. “An average of 78% of all respondents cited that any one of the 14 popular BYOD controls referenced would have an impact on GRC. The need to implement malware prevention (82%), lost or stolen device data wipe mechanisms (82%), appropriate user/device enrolment tools (81%), device usage controls (79%) and data encryption (79%) on those devices are perceived to have the most significant GRC implications. “

The report can be downloaded here.