72 Percent of US Financial Services and Energy Firms Expect a Cyber Attack in Next 12 Months

The news on the cybersecurity front that serves as a warning to us all is mounting up during what has become the cybersecurity industry’s equivalent of earnings season. That is a good thing. The landscape of potential vectors of vulnerability is vast and each area needs illumination to help organizations get perspectives on threats and remediation possibilities.

It is also useful to have granularity on those markets that are prime targets for malicious activities. Not only are there a growing list of threats but also an increasingly diverse group of bad guys—hackers, terrorist organizations, criminal organizations, state-sponsored groups, etc. For this reason, I like to periodically make readers aware of useful studies.

The latest security report from Clearwater, FL-based ThreatTrack Security, with the straight forward title, “Energy Companies and Financial Services Firms Remain Vulnerable to Data-Breaching Malware,” is certainly one to give those in the critical financial services and energy markets pause. It is also useful reading for all security professionals as well.

The report is based on an independent blind survey of 200 IT security managers or IT security administrators in energy and financial services organizations (100 in each) that was conducted by Opinion Matters on behalf of ThreatTrack Security in April 2014. As noted above, there are a wide range of threat actors and attack vectors targeting these two industries, and the report investigates the challenges of putting up a good defense and how organizations are planning to increase security.

APTs and inviting targets

The focus is on the two sectors that have proven to be the most targeted ones by those with malicious intent. Unfortunately, as the headline says, the top level finding that should get your attention like it got mine was that 72 percent of respondents are confident they will be the target of an Advanced Persistent Threat (APT (News - Alert)), targeted malware attack or other sophisticated cybercrime or cyber-espionage tactic in the next 12 months. In fact, 38 percent said an attack is either a "certainty" or "highly likely."

As the authors of the report state:

“Both the energy and financial services sectors are under constant pressure from attackers due to the high-value assets they hold, which represents a significant risk to the U.S. economy and critical physical infrastructure. According to the U.S. Department of Homeland Security, the highest percentage (more than half) of incidents reported to its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) occurred in the energy industry. Similarly, in January of this year, the Financial Industry Regulatory Authority (FINRA) released a letter warning of increasing frequency and sophistication of attacks against financial services firms.”

Among the key findings of the survey:

• 34 percent of respondents say their endpoints have been infected in the last 12 months by malware that evaded detection by traditional signature-based defenses such as antivirus, email security or firewalls.
• 70 percent from companies with security budgets between $500,000 and $1 million had been infected at least once.
• 61 percent of energy firms say email is the biggest threat vector for malware, while 42 percent of financial services firms say it is the web (closely followed by 39 percent who indicate email as well)
• Only 3 percent said mobile is the biggest threat vector they are facing, indicating that many energy and financial services firms may be overlooking a growing source of malware delivery.
• The biggest perceived threat to energy firms is hacktivists and the number one threat to financial services companies is organized cybercrime syndicates.
• 12 percent of energy firms fear attacks from foreign governments.
• Less than 10 percent of energy firms or financial services companies fear the insider threat.
• 38 percent of respondents say it is either a "certainty" or "highly likely" that their organization will be the target of an APT or targeted malware attack in the next 12 months. Another 35 percent say it is "somewhat likely." This means 72 percent of these organizations expect an attack in the near future.
• A higher percentage of energy firms (44 percent) say an attack is "a certainty" or "highly likely" than their financial services counterparts (31 percent).
• Half of all organizations (50 percent) surveyed say they plan to train existing IT staff on new technologies and cybersecurity strategies. 35 percent will implement new policies such as limiting network access privileges and educating employees. 34 percent will invest in advanced malware detection technology.

"Given the importance and value of the data that energy and financial services firms have access to, it is no surprise that they are being targeted aggressively by hackers," said Julian Waits, Sr., president and CEO of ThreatTrack Security. "The question is, what can these organizations do to better stabilize their cyber defenses, in both their own self-interest, and to protect critical U.S. infrastructure? It’s good to see these firms are planning to train their IT teams on the latest cybersecurity technologies and strategies, and that they are going to invest in advanced malware detection. The time to act is now, or the next big data breach could be one that doesn’t just affect our wallets."

 While the full survey results are available upon request, I thought I’d whet your appetite with just one graphic.  It  highlights that while the two sectors face different enemies and challenges they both are clearly in the bad guy crosshairs. It also speaks a bit to the quote from the recent Verizon Data Breach Index Report (DBRI) that “the bad guys are winning.” The evidence here is from the survey results that a rather disturbing percentage of respondents from both sectors say that malware has evaded their defenses. 

Source (News - Alert): ThreatTrack Security

In short, keeping up with the bad guys is not easy—even when you know they are coming.  In fact, if for no other reason than to get your upper management to focus on the urgency of looking at where your organization might be vulnerable and what solutions need to be evaluated to not just protect against at a minimum worst case scenarios but also assure that if attacked your response times and remediation tools are up to snuff, you might wish to get the full report.