“APTs are stealthy, relentless and single-minded, and their primary purpose is to extract information such as valuable research, intellectual property or government data,” said Tony Hayes, ISACA’s immediate past international president.
“In other words, it is absolutely critical for enterprises to prepare for them, and that preparation requires more than the traditional technical controls,” Hayes added.
The majority of responding organizations say their primary APT defense is technical controls such as firewalls, access lists and anti-virus, which are critical for defending against traditional treats, but not sufficient for preventing APT attacks.
Nearly 40 percent of enterprises report that they are not using user security training and controls to defend against APTs—a critical component of a successful cybersecurity plan. Worse yet, more than 70 percent are not using mobile controls, even though 88 percent of respondents recognize that employees’ mobile devices are often the gateway to an APT attack.
While more enterprises report that they are adjusting vendor management practices (23 percent) and incident response plans (56 percent) to address APTs this year, the numbers still need significant improvement.
“The good news is that more enterprises are attempting to better prepare for the APT this year,” said Robert Stroud, CGEIT, CRISC, international president of ISACA and a vice president at CA Technologies. “The bad news is that there is still a big knowledge gap regarding APTs and how to defend against them—and more security training is critically needed.”