Over a quarter of global organizations have suffered an Advanced Persistent Threat (APT) yet many are relying on outdated tools to keep them safe, according to a new study from ISACA.
The industry body polled over 600 of its members worldwide to compile the 2015 Advanced Persistent Threat Awareness Study. It found that while 28% had suffered an APT, more than two-thirds (67%) claimed they felt ready to respond to future attacks.
However, anti-virus and network perimeter technologies topped the list when it came to the most popular technical controls used – despite such tools being of little use in combating advanced threats.
“It is concerning that network perimeter technologies and antivirus and anti-malware top the list of controls used because APTs have been shown to leverage zero-day vulnerabilities, which render tools that look for known signatures and vulnerabilities irrelevant,” the report claims.
On the plus side, however, some 73% of respondents claimed that they are using training and education programs to help minimize the threat from social engineering and spear phishing – up four percentage points from the previous year.
This is important given that social engineering still plays a major role in APT campaigns as attackers look to “gain footholds into information systems.”
However, there’s still room for improvement, with 56% claiming that they’ve not increased awareness training for APTs – although this figure is down from 67% last year.
Another positive is the fact that two-thirds (62%) of respondents said they had seen the organization’s leadership becoming more involved in security-related activities, while 80% said they saw a “visible increase” in support from senior management.
Security budgets had also increased for a majority (53%) of those interviewed for the report.
ISACA senior manager of cybersecurity practices, Montana Williams, argued that firms needed not just anti-malware and network monitoring but also intrusion detection systems, firewalls, and log analytics to help minimize the risk of successful APTs.
"The most effective social engineering training program involves hands-on exercises and demos on a frequent basis,” she told Infosecurity.
“It's also critical to have a continuous security awareness program with multiple communications channels, from posters to training modules to pop-up notifications when staff log into their computer. Constant reminders help a culture of security become second nature.”