If your org hasn't had a security incident in the last year: Good for you, you're in the minority

Nearly seven in eight CTOs and CIOs have admitted to their businesses suffering a data breach, according to a survey.

Threat intel biz Carbon Black reckons that of the 250 CTOs, CIOs and CISOs it surveyed earlier this year, 84 per cent admitted to some form of security breach within their organisation.

This compares with 88 per cent in January and 84 per cent answering "yes" to the same question in July last year. Details of exactly what constituted a "breach" were not made available by Carbon Black, which, like all vendors peddling these surveys, has a vested interest in talking up how insecure the online world is in order to sell more products and services.

Most frequently breached were local councils, government orgs and retail businesses. Carbon Black reckoned that of the breached organisations, a shade under three-quarters said they had suffered reputational harm from the breach – with a third adding that they had "suffered financial impact" on top of that.

Healthcare and financial services, two traditional targets of online criminals, said they had seen attacks of "increasing sophistication" targeted at them over the past year. Although growth in sophistication is claimed to be growing, this appears to be a subjective judgment.

Malware tops the list of bad things happening, with one in five surveyed CIOs claiming to have been hit by custom malware. Around 27 per cent, in contrast, said "generic malware" was at fault for causing them problems.

While Carbon Black's survey didn't break out what malware was and wasn't seen, it fits the general pattern of ransomware crooks broadly targeting smaller, often public-sector organisations. With limited technical and financial resources to help them mitigate or overcome attacks on their IT infrastructure, such targets are relatively obvious and potentially lucrative if the targets give in and pay up.

Encouragingly for industry, 93 per cent of those 250 surveyed agreed to say that they were increasing their corporate spending on infosec.

Rick McElroy, Carbon Black's head of security strategy, opined: "We found that companies are tightening up on the factors they can control, such as process weaknesses and out-of-date security technology, making incremental gains that improve their security posture from within.

"Nevertheless, phishing appears to remain the root cause of the majority of breaches, emphasising that businesses still have much work to do to get their employees on board and alert to phishing and social engineering."

It's generally not the high-tech, crafted malware attack from a sophisticated and determined attacker that pwns you. It's Doris in HR clicking an email link and it doesn't matter whether that results in a personal data leak or your trade secrets becoming public knowledge. Keep training your staff, folks. ®