A recent Kaspersky Lab survey of 5,274 IT business decision makers found that 42 percent of respondents are unsure of the most effective strategy to combat threats like targeted attacks -- and the percentage is even higher (63 percent) among respondents who are IT security experts.
Seventy-seven percent of respondents say they've experienced a security incident over the past 12 months. Fifty-seven percent believe they will be breached at some point, up from 51 percent in a similar survey last year.
The study found that the prevalence of targeted attacks has increased by 6 percent since last year for all respondents, and by 11 percent for large enterprises. Two thirds of respondents believe threats are becoming more complex, and 52 percent say it's becoming difficult to tell the difference between generic and complex attacks.
While 56 percent of respondents agree that they need better tools to detect and respond to APTs and targeted attacks, 78 percent believe they already spend enough, or even too much, on protection from targeted attacks.
Fifty-three percent of respondents agree they need to employ more specialists with IT security expertise, specifically in SOC management, incident response and threat hunting. That number jumps to 61 percent among enterprise respondents.
"Now that companies are starting to realize that cyber security breaches are a real risk to their business continuity, it's time to give incident response the attention it deserves," Alessio Aceti, head of Kaspersky Lab's enterprise business division, said in a statement.
"It can no longer be a small part of the IT security department's responsibilities, and should instead involve strategic planning and investment at the highest level," Aceti added. "For organizations, this doesn't mean becoming risk-free but it will certainly help to become risk-ready and survive a serious breach when it happens."
Separate RiskIQ research [PDF] on leading U.K. companies in the FT 30 found that the average company has 3,315 live websites leveraging 35 expired certificates, 250 untrusted certificates, 171 servers with known vulnerabilities, and 68 frameworks with known vulnerabilities.
Among all FT 30 companies, the researchers found 13,194 instances of data collection through login or input forms, of which 29 percent had no encryption, and 5 percent were using old encryption algorithms or expired certificates.
"We have recently seen the consequence of Equifax losing control of its infrastructure and Web assets before falling victim to cybercrime and impacting millions of customers," RiskIQ vice president EMEA Fabien Libeau said in a statement. "It is crucial that other organizations don't follow suit by ensuring their digital attack surface is constantly monitored, kept under control and secure from cyber adversaries on the prowl."
Chris Olson, CEO of The Media Trust, told eSecurity Planet by email that every enterprise should be concerned about becoming the next front page news story. "The heart of the matter is a general failure to appreciate the highly dynamic nature of these consumer-facing digital assets and their reliance on third parties to help render the visitor experience," he said.
"As a significant amount of vulnerability resides in not knowing these third parties exist, let along analyzing their activity, companies would be better served controlling what they allow to execute in their digital environment," Olson added.