Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Enterprises Overly Reliant on Perimeter-based Defenses: Survey

Survey Examines Impact Data Breaches at Target and other Organizations Have had on IT Budgets and Security Practices.

Organizations are increasing investment in IT security, but even after a string of high profile data breaches in 2014, they aren’t thinking beyond perimeter-based defenses, according to the latest Ponemon Institute survey.

Survey Examines Impact Data Breaches at Target and other Organizations Have had on IT Budgets and Security Practices.

Organizations are increasing investment in IT security, but even after a string of high profile data breaches in 2014, they aren’t thinking beyond perimeter-based defenses, according to the latest Ponemon Institute survey.

The mega-breach at Target and other retailers served as a “wake up call” for senior managers at organizations to realize they needed better security. About 13 percent of senior management expressed extreme concern about their security posture before the Target breach was publicized, according to the survey. The number rose to 55 percent after the breach.

More importantly, the new understanding has resulted in more resources to prevent, detect, and resolve data breaches, according to the report from Ponemon Institute. For example, 61 percent of organizations increased its security budget by an average of 34 percent in 2014. The most common areas of investment included security incident and event management (SIEM), endpoint security, intrusion detection and prevention (IDS/IPS), encryption, tokenization, and Web application firewalls. About 63 percent of respondents in the survey said this increase in budget resulted in investments in enabling security technologies to prevent and/or detect breaches.

Perimeter Based Network Security

“This study shows that organizations are dedicating greater attention and financial resources towards managing sensitive information and preventing data breaches, which is certainly encouraging news,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.

However, only 9 percent have increased budgets to address sensitive data management, which discovers sensitive information such as Social Security numbers and payment card numbers and protects the documents containing the data. This is a glaring omission because the data is not protected if—or rather, when—the attackers breach the network, said Todd Feinman, CEO of Identity Finder, told SecurityWeek. The company sponsored the “2014: Year of the Mega Breaches” study.

The recent attack at Sony where attackers dumped files containing “millions of instances of Social Security numbers” is an example of the kind of damage that can result when attackers get on the network and the information is not properly protected. “Organizations shouldn’t be solely focusing on how to block the attack and they need to understand how vulnerable they are if the attackers get past the perimeter defenses,” Feinman said.

“They are assuming what they are doing will work,” but in reality, even if they do many things right, they still need to assume they won’t be able to block everything, Feinman said. Not enough is being done in terms of figuring out what needs to be done to minimize the damage, he warned. There must be a balance between blocking threats and reducing the footprint of vulnerable, sensitive data.

Advertisement. Scroll to continue reading.

“Detection can be more important than prevention. Prevention is important, but when things go sideways, you need to know,” Feinman said.

It’s important to remember that perimeter-defense has a role to play in enterprise defense. The goal is not to shift resources, but to spread them out so that the lion’s share of the money and people isn’t going towards preventive controls such as monitoring the perimeter and endpoint.

“We aren’t saying don’t do perimeter defense,” Feinman said. SIEM is a good thing to invest in, but if organizations are taking three months or longer to detect a breach, then that control alone is not enough. It’s just as important to add controls for data, too, he added.

Having data controls make other security controls more valuable, Feinman noted. If the IT manager knows where the sensitive data is stored, then he or she can write better rules for the firewall, for example. Or in the case of encryption, many organizations see their encryption projects fail because “they are trying to encrypt the world—all the endpoints, all the emails, everything.” Instead, if they know where the confidential information is stored and encrypt “what really matters,” they can minimize the damage from a data breach, Feinman said.

Money is not everything. Businesses are clearly spending money to prevent cyberattacks, but data breaches still occur, Feinman said. JP Morgan Chase spent over $250 million on cyber security last year, but still suffered from a significant data breach. “If one of the world’s largest banks cannot stop an attack from getting through, it’s unrealistic to expect anyone else will be able to,” Feinman said.

Ponemon Institute surveyed 735 IT and IT security practitioners about the impact data breaches at Target and other organizations have had on their IT budgets and security practices. About 45 percent said they’d discovered the breaches by accident, and a staggering 95 percent said they did not discover the breach for at least three months after the initial incident. Half had thought they had the tools necessary to prevent a breach, but 65 percent said the attack evaded existing preventive security controls.

“Security is not only about more investments in prevention but also about understanding the data itself that is vulnerable,” Ponemon said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.