Heightened awareness about stealthy network attacks designed to steal sensitive information -- what some call the "advanced persistent threat" -- is having an impact in raising security budgets and increasing executive management involvement in information technology, according to a survey published today.
The survey of 244 U.S.-based security professionals that was conducted by consultancy Enterprise Strategy Group (ESG) shows that the term "advanced persistent threat (APT)" is well understood by most, and 65% of the survey's respondents are concerned that APT attacks are undermining national security and the economy. The survey reveals that not only do security pros think APT is real, but 20% said "we are certain we have been targeted" and 39% said they were "fairly certain" their companies had been targeted.
The headlines about APT -- whether it be the RSA break-in related to SecurID or any other known APT attack -- is sounding alarms in the executive suite as well.
This drumbeat of news is prompting the CEO, the chief financial officer, or others in executive management to take a range of actions impacting the IT department and the company. These include asking for risk metrics, beefing up employee training about APTs, hiring outside audits, and increasing security funding overall.
In fact, 32% of the security professionals in the survey said the APT problem "will cause us to increase security spending by 6% to 10%" and 11% said spending would even increase more than 10%. Only 16% said there would be no increase, and 7% either didn't know or said it was too early to tell.
Jon Oltsik, an analyst at ESG who led the research on the survey, says one goal he had with it was simply to find out whether IT security professionals considered the term APT to be a "serious threat" or more of a "marketing term."
"They do think it's a serious threat. And in most large organizations, they think they have been targeted," Oltsik said.
Also worried about APTs, the C-level executives are more energetically interacting with the IT and security department in ways not often seen previously. They're asking for board-level presentations on APT preparedness, and are increasing meetings with the chief information security officers (CISO) or IT risk team.
"The CEO is actually going to the CISO and saying, 'Tell me what this is, and what do you need from us?'" Oltsik said. "They're saying, 'We need real metrics and an action plan.'"
The survey points out that some C-level executives are going around the internal IT and security people to some extent by asking for an outside evaluation of internal security.
Oltsik says he's a little skeptical that training of end users to successfully resist APT attacks, such as targeted phishing attempts, will be worth it. But he adds if that's the case, IT departments should consider finding better ways to monitor network behavior, detect system compromises and perhaps make use of technologies such as whitelisting to lock down systems.