According to a new study published by ThreatTrack Security, 72% of survey respondents from the energy and financial services industries are confident that their organization will be the target of an Advanced Persistent Threat (APT), targeted malware attack or other sophisticated cybercrime or cyber-espionage tactic at some point during the next 12 months.
Specifically, 38% of the 200 respondents said such attacks against their organization is either a “certainty” or “highly likely.” Another 35% said it is “somewhat likely.”
“Both the energy and financial services sectors are under constant pressure from attackers due to the high-value assets they hold, which represents a significant risk to the U.S. economy and critical physical infrastructure,” ThreatTrack Security elaborated.
According to the U.S Department of Homeland Security, the department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to more than 200 incidents between Oct. 2012 and May 2013. Of those 200 incidents, the highest percentage of incidents reported to the organization occurred in the energy sector (53 percent).
Earlier this year, the Financial Industry Regulatory Authority (FINRA), the largest independent regulator for all securities firms doing business in the United States, issued a warning of increasing frequency and sophistication of attacks against financial services firms.
While many attacks against these firms can be rather sophisticated, recent research from security firm Imperva shows that data breaches commonly associated with advanced persistent threats can sometimes be achieved without high levels of skill. “Despite these common perceptions (see Wikipedia), our labs discovered that some techniques attributed to APT require only basic skills,” Imperva’s report said.
As ThreatTrack Security investigated the challenges these industries face in defending themselves against cyber attacks, they found the following:
• 34% of respondents say their endpoints have been infected in the last 12 months by malware that evaded detection by traditional signature-based defenses such as antivirus, email security or firewalls.
• 70% of respondents from companies with security budgets between $500,000 and $1 million had been infected at least once.
• 61% of energy firms say email is the biggest threat vector for malware, while 42% of financial services firms say it is the web (closely followed by 39% who indicate email as well)
• Only 3% of respondents say mobile is the biggest threat vector they are facing, indicating that many energy and financial services firms may be overlooking a growing source of malware delivery.
• The biggest perceived threat to energy firms is hacktivists and the number one threat to financial services companies is organized cybercrime syndicates.
• 12% of energy firms fear attacks from foreign governments.
• Less than 10% of energy firms or financial services companies fear the insider threat.
• A higher percentage of energy firms (44%) say an attack is “a certainty” or “highly likely” than their financial services counterparts (31%).
• Half of all organizations (50%) surveyed say they plan to train existing IT staff on new technologies and cybersecurity strategies. 35% will implement new policies such as limiting network access privileges and educating employees. 34% will invest in advanced malware detection technology.
“Given the importance and value of the data that energy and financial services firms have access to, it is no surprise that they are being targeted aggressively by hackers,” said Julian Waits, Sr., president and CEO of ThreatTrack Security. “The question is, what can these organizations do to better stabilize their cyber defenses, in both their own self-interest, and to protect critical U.S. infrastructure? It’s good to see these firms are planning to train their IT teams on the latest cybersecurity technologies and strategies, and that they are going to invest in advanced malware detection. The time to act is now, or the next big data breach could be one that doesn’t just affect our wallets.”
The blind survey of 200 IT security managers or IT security administrators in energy and financial services organizations (100 in each) was conducted by Opinion Matters on behalf of ThreatTrack Security in April 2014, ThreatTrack said.
Related: Taking Aim at the Energy Sector: Three Steps to Defend Against a Rising Number of Attacks