What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape

Transcription

1 What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape

2 Contents Introduction 2 Many SMBs Are Unaware Of Threats 3 Many SMBs Are Exposed To Threats 5 Recommendations 7 About FireEye, Inc. 8 FireEye, Inc. What SMBs Don t Know Can Hurt Them: Perceptions vs. Reality in the New Cyber Threat Landscape 1

3 Introduction Call it the invisible threat. For every massive data breach that makes headlines, untold scores of small to midsize businesses (SMBs) suffer the same types of cyber attacks often with proportionally starker consequences. A 2012 study by the National Cyber Security Alliance found that one in five small businesses experience a data breach in a given year. Of those, 60 percent go out of business within six months. 1 SMBs aren t just targets they re cyber attackers top target. According to the Verizon 2013 Data Breach Investigations report, more than half of breaches hit companies with 1,000 or fewer workers. 2 Despite this rising tide of attacks and their potentially dire consequences, many SMBs remain unaware of cyber threats and unprotected from them. That s the conclusion of a survey conducted by Spiceworks Voice of IT and sponsored by FireEye. The survey, conducted in December 2013, polled 162 information technology pros about their knowledge of advanced cyber threats, the perceived impact of attacks, and what they re doing to address the problem. Participants were involved with or responsible for IT security at companies with 100 to 2,000 employees. The survey excluded managed service providers (MSPs) and IT consultants. This report highlights key findings of the survey, explains their implications, and recommends steps to reduce the threat of cyber attacks. 1 National Cyber Security Alliance. America s Small Businesses Must Take Online Security More Seriously. October Verizon Data Breach Investigations Report. May FireEye, Inc. What SMBs Don t Know Can Hurt Them: Perceptions vs. Reality in the New Cyber Threat Landscape 2

4 Many SMBs Are Unaware Of Threats In the survey, 71 percent of survey participants ranked cyber security a high or very high priority. Conversely, a full 29 percent rank cyber security average or less in their priorities a surprisingly high number given the potential impact of a breach. Where does cyber security rank among your IT priorities? Where does cyber security rank among your IT priorities? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Very high High Average Low Very low At the same time, 75 percent of those polled acknowledged that they were only somewhat knowledgeable about advanced persistent threats (APTs). Only 15 percent were confident that they are very knowledgeable about advanced attacks. What is your level of knowledge pertaining to advanced cyber attacks What and is your advanced level of knowledge persistent threats pertaining (APTs)? to advanced cyber attacks and advanced persistent threats (APTs)? 75% No knowledge 3% 10% Very knowledgeable Somewhat knowledgeable 15% FireEye, Inc. What SMBs Don t Know Can Hurt Them: Perceptions vs. Reality in the New Cyber Threat Landscape 3

5 The term APT denotes attacks launched by attackers that are well organized and funded. APT attacks usually focus on a well-defined goal, such as stealing intellectual property or sensitive data. Unlike the broad, scattershot attacks that typify common cybercrime, APT attacks target specific companies or agencies. These attacks often employ sophisticated, stealthy tactics that traditional defenses cannot prevent or detect let alone contain and resolve. SMBs are largely unaware of today s threats. In the survey, 44 percent assert that they are not a target for advanced attacks, and 24 percent are unsure. Do you feel your company is a target for advanced cyber attacks? Do you feel your company is a target for advanced cyber attacks? 24% Yes No 44% Unsure 32% This ambivalence reveals itself in SMBs security spending. Nearly a third of respondents (32 percent) allocate less than 10 percent of their IT budget to security. Although 45 percent earmark 10 percent or more of their IT budget to security, more than 20 percent don t know the percentage. What What percentage of of your your IT IT budget is is allocated to security? 40% 35% 30% 25% 20% 15% 10% 5% 0% Less than 10% 10 25% 26 50% More than 50% Don t know FireEye, Inc. What SMBs Don t Know Can Hurt Them: Perceptions vs. Reality in the New Cyber Threat Landscape 4

6 Many SMBs Are Exposed To Threats Even among SMBs that are aware of the threat posed by advanced attacks, many remain exposed to them, the survey revealed. Only 39 percent of respondents rated their company s ability to detect and block these threats as good or excellent. Nearly a quarter of respondents rated their ability as fair or poor. How would How would you rate you rate your your company s company s ability ability to detect to detect and block and block advanced advanced cyber cyber attacks? attacks? Excellent Good Average Fair Poor Unsure 0 10% 20% 30% 40% Even those mixed percentages may reveal overconfidence. That s because about half of those polled believe mistakenly that traditional cyber defenses protect their networks against advanced threats. Traditional defenses include anti-virus (AV) software, standard and next-generation firewalls, intrusion prevention systems (IPS), and the like. Do you believe your traditional security defenses (i.e. anti-virus, next generation firewalls, IPS, and gateways) Do you believe your traditional security defenses (i.e. anti-virus, next generation firewalls, IPS, protect and gateways) you from protect advanced you cyber from advanced attacks? cyber attacks? 1 Yes No 31% Unsure 50% FireEye, Inc. What SMBs Don t Know Can Hurt Them: Perceptions vs. Reality in the New Cyber Threat Landscape 5

7 Today s attacks versus yesterday s tools Yesterday s legacy defenses are built on signature-matching and IP-reputation technologies, which are designed to spot previously identified threats. Today s advanced attacks utilize code-morphing techniques that churn out new, unique malware binaries faster than security vendors can create signatures for them. And attackers exploit zero-day vulnerabilities which, by definition, are unknown. Traditional defenses are useless against these attacks. Even most sandbox technologies, touted as a fresh approach to security, miss today s advanced attacks. Sophisticated malware has sandbox-evasion measures built in, lying dormant when executed in a sandbox environment to slip under the radar. And most sandboxes analyze files in isolation, missing the multiple stages common in advanced attacks. The shortcomings of both traditional and file-based sandbox technologies leave SMBs less secure than they realize. Breaches growing more common More than 20 percent of those polled had encountered a network breach in the previous 12 months. That figure is consistent with the National Cyber Security Alliance estimate cited earlier. About two-thirds of those polled do not believe they have been breached. But the failure of traditional cyber defenses to detect advanced threats casts doubt on that figure. According to the Mandiant M-Trends report, attackers have access to victims networks an average of 243 days before being detected. Many may have been breached or are currently compromised and may not realize it. Indeed, 12 percent of survey respondents were unsure whether attackers had breached their networks. Have you experienced a network breach in the past 12 months? Have you experienced a network breach in the past 12 months? 12% Yes 67% 21% No Unsure FireEye, Inc. What SMBs Don t Know Can Hurt Them: Perceptions vs. Reality in the New Cyber Threat Landscape 6

8 Despite common misconceptions about the efficacy of standard cyber defenses, SMBs are all too familiar with the fallout of data breaches. More than 80 percent listed disrupted business among the greatest consequence of a network breach. Data loss including internal IT assets, partner information and customer data was close behind at 75 percent. And more than half cited loss of confidence among customers and the public. What do you believe is the greatest consequence of a network breach What or data do you loss? believe (Select is the all greatest that apply) consequence of a network breach or data loss? (Select all that apply) Disruption to business operations Data loss (i.e. IP, customer,partner) Loss of public and customer confidence Infrastructure integrity Remediation costs Brand damage Other 0 20% 40% 60% 80% 100% Recommendations Given the ubiquity of today s advanced threats and the dire effects of data breaches, SMBs must make security a bigger priority. Although most SMBs have limited security budgets, all of them can strengthen their security posture by rethinking cyber defense. Assume you re a target Assume cyber attackers are targeting your business, because they probably are. In addition to having valuable data of their own, most SMBs do business with larger companies. Often this includes deep ties into partners computer systems as part of an integrated supply chain or access to their sensitive data and intellectual property. You may not consider yourself a big fish, but attackers know you re connected to bigger fish. FireEye, Inc. What SMBs Don t Know Can Hurt Them: Perceptions vs. Reality in the New Cyber Threat Landscape 7

9 Identify your assets and connections The first step in any cyber defense plan is knowing what you re protecting. For SMBs, this assessment means not just knowing where their most valuable assets are, but thinking about their most important data connections to outside vendors, customers, and partners. In today s hectic business climate, keeping this information up to date is not always easy. It requires full awareness of not only your own systems but also the larger threat climate. Knowing how cyber attackers operate and what they might be after can help security professionals know where they re most vulnerable and where to prioritize their efforts. Don t fight today s battles with yesterday s tools Today s cyber attacks are sophisticated. They are devastating. And they are easily thwarting legacy security tools. That s why SMBs need a defense built from the ground up to prevent, detect, contain, and resolve today s advanced threats. Cyber security can no longer rely on malware signatures or the reputation of an IP address. Today s tools must be able to detect unknown threats, including newly created malware binaries and zero-day exploits. And they must analyze potential threats in context or other stages of an attack, not individual files in isolation. To find out how FireEye can help you combat today s advanced threats, visit About FireEye FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 1,900 customers across more than 60 countries, including over 130 of the Fortune FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. RPT.SMB.EN-US FireEye, Inc McCarthy Blvd. Milpitas, CA FIREEYE ( ) info@fireeye.com