Almost all organizations in new survey experienced a significant IT security incident in the past year

The overwhelming majority, 96%, of surveyed organizations spanning five industries in the United States and Europe experienced a significant IT security incident in the past year, notes a new report issued Wednesday by ForeScout Technologies Inc.

The finding is included in the company’s 2014 Cyber Defense Maturity Report, independent research for which was conducted by IDG Connect, notes a statement from ForeScout Technologies, a provider of pervasive network security solutions.

A graphic in the report indicates 39% of organizations polled experienced on average more than two significant security incidents in the past year, and 16% experienced on average more than five significant security incidents.

The report is based on responses that included 1,600 IT information security decision-makers in organizations with more than 500 employees spanning five industries (finance, manufacturing, healthcare, retail and education) in the U.S., United Kingdom, Germany, Austria and Switzerland.

Using mean scores per security incident, the report notes that the top security incidents were phishing, compliance policy violation, unsanctioned device use, unsanctioned application use, and unauthorized data access.

The majority of IT organizations are aware that some of their security measures are immature or ineffective, ForeScout Technologies reports, but only 33% are very confident in the likelihood that their organizations will improve their less mature security controls. Of the remaining respondents, 54% said they were somewhat confident and 13% said they were not confident.

And more challenges lie ahead, including increasing operational complexity and the threat landscape.

In all, 40% of respondents reported that security management tasks are more challenging now than two years ago. A graphic in the report shows 49% cited problem prevention, 42% noted problem diagnosis, 41% pointed to problem identification, 41% noted problem remediation, 37% cited problem monitoring and 31% noted problem documentation.

With regard to security issues, the most frequently cited were malware and advanced threat protection, 60%; application security, 58%; wireless security, 57%; network resource access, 56%; unsanctioned application use, 56%; personal mobile device use, 54%; and data leakage monitoring, 53%.

And the top five security technologies perceived to have the greatest interoperability value were firewalls, anti-malware, network access control, mobile device management, and advanced threat detection.

“While confidence in IT security management appears optimistic, overall findings showed a contradiction in efficacy and likely investment compared to where incidents have been most impactful,” ForeScout Technologies reports.

“The findings provide a useful snapshot of the state of exposures, controls and investment across global regions and industries,” Scott Gordon, chief marketing officer at ForeScout, says in the company statement. “The independent research clearly validates the need for continuous monitoring, intelligence and mitigation capabilities,” Gordon adds.

Other findings in the report include the following:

• control practices indicated as relatively immature were personal mobile device usage, perimeter threats, inventory management and endpoint compliance, virtualization security, rogue device and application security;
• more than 61% cited low to no confidence on network device intelligence, maintaining configuration standards and defences on devices, and ensuring virtual machine and remote devices adhere to policy;
• significant compliance policy violations that consumed a large amount of time to recover from occurred an average of 2.6 times in the last 12 months on aggregate across all three regions;
• manufacturing, education and finance sectors appear more prone to phishing attacks while the healthcare sector was more likely to experience higher than average compliance policy violations; and
• 78% of respondents on average cited BYOD as having an impact on governance, risk and compliance. 

The report offers insights into the nature of security issues impacting organizations; the perceived maturity of process, controls and tools applied to pre-empt and contain exposures; the state of confidence in security operations; and the most likely areas for future improvement and investment.