A recent survey, conducted by IT risk management specialists nCircle, suggests that as many as 50% of IT security professionals think that the organisations they work for are a potential target for state-sponsored hackers. A number that Tim Keanini, nCircle Chief Research officer, thinks is rather on the low side in reality.
"The number of organizations that are potential targets for state-sponsored cyber attacks is probably much higher than 50%, because if attackers can’t break into a targeted organization, they will go after partners and suppliers" Keanini insists, adding "Frankly, I’m surprised that the level of paranoia among information security professionals isn’t higher."
Of course, to paraphrase a well known saying, just because you are a paranoid IT security professional doesn't mean that China isn't out to get you. Or, perhaps more accurately, just because the media says that China is the country most likely to be hacking your business doesn't mean that everyone else isn't also at it. The public perception of who is behind state-sponsored attacks is not only shaped by media reporting, but also mis-shaped if you ask me. Ask Keanini and he will say the same: "The reality is that nations that are really good at cyber attacks don’t make the news because they don’t get caught." Interestingly, when it comes to those IT security pros who were surveyed (more than 200 of them who attended the 2013 RSA Conference in San Francisco) some 48% go with China as being the best equipped for launching state-sponsored cyber attacks but 33% point the finger in the direction of the United States itself when it comes to advanced technical capability for such activity.
I'm not sure it really matters which direction state-sponsored hacking comes from, or where it is perceived to come from, or indeed if it is state-sponsored at all. Just look at the Worldwide Infrastructure Security Report from Arbor and you will see that quite clearly DDoS attacks are on the up: 76% of respondents experienced DDoS attacks towards their customers during the past year. Add to that the rise of hacktivism, with 33% reporting political and ideological disputes as the motivation behind those attacks, and it becomes clear that IT security professionals and the organisations they work for need to be focusing more on defense in depth and worrying less about apportioning blame.
As Dan Holden, Director of Arbor’s Security Engineering & Response Team, points out: "Global recognition for effective cyber security solutions in business is rising, but many still continue to bury their heads in the sand. The truth is that any business operating online - from the largest enterprise to an individual operator - can become a target for attack, because of who they are, what they sell or who they partner with. It’s extremely important that organisations of all size take best practice defensive steps to ensure they are adequately protected if, or more likely when, they become the target of an attack."