Recently, ISACA surveyed more than 1,500 infosec professionals as part of their 2012 Advanced Persistent Threat (APT) Awareness Study. The findings are an interesting mix of the good and the bad.
The ISACA survey results indicate that a majority of professionals are familiar or strongly familiar with APTs, with almost all (96.2%) being at least “somewhat” familiar. This means that at the very least, APTs are already “on the radar” of security professionals and are a known risk.
Many professionals believe that their organizations are at risk from APTs. Almost two-thirds – 63.0% – believe that their organization are likely or very likely to be the targets of an APT in the future. More than a fifth (21.6%) of those surveyed belong to organizations that have been hit with an APT.
The risks of APTs are also correctly identified. The top three risks identified by those surveyed were:
- Loss of intellectual property
- Loss of personal information of employees or customers
- Damage to the company’s reputation
However, the other findings also bring up some serious concerns. For example, more than half – 53.4% – of those surveyed said that APTs are “similar” to conventional threats. While this may be true on the surface, there are fundamental differences between APTs and conventional threats. They have different goals and capabilities; understanding these is important to defending against either type of threat. The number may also suggest that majority still believe that traditional security solutions will identify an APT, which is simply untrue.
Respondents were also quite confident of their organizations’ ability to deal with APTs. Strong majorities believed their company was able to detect, respond, and stop APTs. However, this may be branching out from their initial assumption that APTs are similar to conventional threats. While pluralities of respondents said that their organization were prepared for incidents, their incident response plans may not be specifically aimed at APTs. Again, this betrays a deep misunderstanding of APTs; plans suited for conventional attacks may be ineffective for APTs.
There is one positive note we’d like to highlight: many of the findings in the survey revealed how likely security professionals believe their organizations are going to be targeted by APTs. In most cases, professionals who thought they were more likely targets provided answers that showed they understood better how to defend and mitigate APTs, when compared to their counterparts from less likely targets. Similarly, executives at at-risk firms were more likely to be involved and engaged in supporting steps to defend against these attacks.
What this means is that organizations and their leaders are able to protect themselves adequately, if they choose to learn how to in the process. The challenge facing security vendors, professionals, and the industry is how to make such information more widely available, particularly as the number of at-risk organizations increases over time.