Despite well-publicized data thefts in recent years, major US companies are as vulnerable as ever to hacker attacks, and many executives say their businesses lack the resources to protect themselves, according to a report from the Waltham-based computer security company CounterTack Inc.
CounterTack commissioned a survey of 100 information security executives at companies with revenues greater than $100 million and found that half had dealt with computer network attacks during the previous 12 months.
A third of those executives doubted their organizations could fend off future attacks, and 84 percent said their companies were vulnerable to “advanced persistent attacks” — highly aggressive assaults launched by major criminal organizations and foreign governments, such as the 2011 attack on the Bedford data security company RSA Security.
That incident compromised the company’s popular SecurID data protection technology and led to follow-up attacks against major US defense contractors who relied on RSA’s network security products.
CounterTack chairman William Fallon, a retired four-star admiral who headed the US military’s Central Command, said that advanced persistent threats are the most dangerous because they are carried out by highly skilled criminals or spies with ample resources and plenty of time.
“This is not some simple kid playing with a computer to cause you some heartburn,” said Fallon. “This is very sophisticated penetration by people who are well trained. They know what they’re doing.”
Fending off advanced persistent threats requires a big investment of time and expertise, but according to the survey, 44 percent of security executives said they lack the resources to fight such attacks.
Fallon’s company makes a product that allows network operators to keep intruders under surveillance as they probe a company’s network, and possibly limit any damage the intruder might do.
“The best thing you can do is to have intelligence,” said Fallon, “not just spending all your money throwing up walls, which is not going to work.”
Mike Tuchen, chief executive of the Boston data security company Rapid7 LLC, said that if anything, the CounterTack survey understates the vulnerability of corporate networks. Still, the danger of advanced persistent threats may be somewhat overstated, he said, because most companies aren’t likely targets for such intensive hacking. The information stored by most businesses, though valuable, probably wouldn’t be worth an all-out hacking campaign of the kind that compromised RSA Security, he said.
“Targeted attacks are really going against companies that are strategic targets” like major banks, said Tuchen, because “that’s where the money is.”
Defense contractors or companies that operate critical infrastructure, like electric utilities, would also be likely targets for attacks from hostile foreign governments, he added.
Still, every company is at risk from less-advanced online criminals, Tuchen said. Virtually every company network is breached sooner or later, he said, and many companies do not detect breaches for months or even years.
“The question isn’t will I get compromised,” Tuchen said, “but how quickly will I discover it when I am.”