In a survey conducted by Synopsys at this year’s Infosecurity (InfoSec) Europe, almost half of participants said their organizations had not experienced a cyber attack within the last two years. Most attendees surveyed said their organizations had either an internal or external software security group or a combination of both. And the majority indicated their organizations had an incident response plan in place and offered formal cyber security awareness training.
The survey of 270 InfoSec Europe 2017 attendees focused on application security. It found that 37% of organizations had an internal software security group. Twenty percent made use of third-party vendors and 40% had a combination of internal and external security teams. That means roughly 97% of participants said their organizations had some active form of security process. The good news is that only 3% admitted their organizations had no security process in place.
The lack of skilled security personnel was cited as the main challenge of implementing an application security program (41%). Earlier this year ISC2 reported it expected the shortfall of skilled security professionals to grow to 1.8 million by the year 2022.
“We’re not growing, we’re not expanding, we don’t have the tens of thousands of cyber security professionals joining the industry, we’ve got a graying profession,” Dr. Adrian Davis, managing director at ISC Squared, told the Telegraph.
Lack of skilled labor was followed by lack of management buy-in (18%) and little or no budget (16%) as challenges to creating an application security program. A quarter of the respondents claimed no challenges in implementing an application security program.
In terms of top application security concerns, a majority of respondents cited protecting customer data. This was followed by a tie for second between regulatory compliance and threat/breach detection. Internal IP protection was fourth. This result is consistent with increasing regulations regarding privacy, such as the EU’s new General Data Protection Regulation (GDPR), set to kick in mid-2018.
Customer-facing web applications were reported as the applications or systems that present the highest security risk to businesses (48%). This was followed by mobile applications (23%) and desktop applications (18%). Trailing were internally facing web apps (7%) and embedded systems (4%).
In terms of risk, participants defining their organizations as medium risk composed the largest group (46%), followed by “high risk, but with broad and mature security programs” (35%). Fewer respondents defined their organizations as high-risk companies with less mature security programs (10%). Even fewer identified their organizations as “low risk, too small to be a target” (9%).
Almost half of respondents said their companies had not been the target of a cyber attack within the last two years (47%), with 14% not sure. For companies that had been the target of a cyber attack within the last two years (39%), the types of attacks they experienced were distributed denial of service (DDoS), ransomware, social engineering, and spear phishing.
In October 2016, a massive DDoS attack from thousands of compromised internet-based surveillance cameras targeted DNS providers Dyn in the United States and OVH in Europe. The result was hundreds of popular websites (Twitter and Reddit among them) being inaccessible for several hours. In May WannaCry ransomware took the world by storm, and in June Petya ransomware, while more limited, destroyed computer systems. Social engineering and spear phishing, which are often the main points of entry for attackers to plant advanced persistent threats, also appear to be lessening as threat vectors.
A wide majority—84%—of survey respondents said their organizations had an incident response plan in place. Twelve percent said they did not, and 4% were unsure. This is good. Organizations need to respond to and recover from cyber attacks quickly. They also should preserve evidence that can help law enforcement. Most incident response plans include provisions for this.
Finally, 64% of respondents said their organizations mandated cyber security awareness training that included a test. Meanwhile, 25% said their awareness training was more informal and consisted of reviewing documented policies. Eleven percent said their organizations lacked any cyber security awareness training.