Many organizations’ cybersecurity measures aren’t enough to protect their networks from data breaches, according to a new study from the information systems association ISACA.

The breaches result from advanced persistent threat (APT) attacks, in which an unauthorized individual gains access to a network. APT attacks aim to gather personal data to sell on the black market and can often go undetected for hundreds of days to several years.

All organizations, regardless of their size, where they’re located, or what industry they’re in, have to be prepared to deal with these things.

While 74 percent of the more than 660 cybersecurity professionals who responded to the survey said they expected their organizations to be targeted by a cyberattack, only 67 percent said they feel prepared to respond. Already 28 percent of these organizations have experienced a data breach.

APT attacks “have become the norm,” said ISACA CEO Matt Loeb, CAE. “All organizations, regardless of their size, where they’re located, or what industry they’re in, have to be prepared to deal with these things.”

While many organizations rely heavily on technology to protect networks from an APT attack, which can adapt as the system tries to neutralize it, employees and other stakeholders need to be well informed about the risk of cyberattacks, Loeb said.

“Organizations need to be holistic in looking at how they can protect themselves from these kinds of attacks,” he said. “It requires general education for employees, vendors, and members, but it also requires skill development for those who are responsible for providing the IT services.”

Most APT attacks occur when employees unintentionally give out sensitive information, such as member, credit card, or financial data, ISACA found. The well-funded organizations that create the attacks take advantage of employees’ unawareness of cyberattacks and system weaknesses to steal the information.

A data release can happen as easily as plugging a thumb drive into a network computer, opening an attachment in an email, or following a link. These actions can activate the APT by allowing it to launch an undetected application on the network to give the attackers access.

Dow Williamson, executive director for ITPG, Inc., a consulting company that helps associations establish cybersecurity policies, agreed that the most cost-effective way to prevent APT attacks is through education.

Williamson encourages associations to hold programs to increase awareness among all staff of how attacks commonly occur and how to respond, train IT staff in implementing system controls, and educate and certify key information security leaders.

“Unfortunately, employees and companies have to be right all the time,” Williamson said. “A hacker or an attacker only has to be right once or only has to get lucky once.”

Williamson agreed with ISACA’s conclusion that the practice of allowing employees to use their own mobile devices to store and process sensitive data has left organizations vulnerable. Groups with “bring your own device” policies can use programs such as Network Access Control to keep track of devices on the network and coordinate information from firewalls and intrusion prevention technology to detect potential breaches.

ISACA found that top leaders in organizations are doing more to combat APT attacks and other cybersecurity threats following recent high-profile breaches and increased public concern about APT attacks.

Loeb warned that the problem will likely worsen before it improves and may pose a public safety hazard as attackers begin to target individuals instead of organizations.

“There isn’t anybody that isn’t vulnerable,” Loeb said. “So when we talk about these things, it’s not a matter of if I’m going to be attacked, it’s a matter of when.”

(iStock/Thinkstock)