Many big companies are failing to learn from information security incidents, according to Rob Kraus, director of research at malware analysis firm Solutionary.
Few organisations are conducting post-incident reviews to see how and why the attack took place, he told attendees of the 2012 (ISC)2 Security Congress taking place in Philadelphia.
Reviews can help organisations identify what controls they need to put in place to stop similar security incidents in future, said Kraus.
"After an incident, organisations should not just forget about it and move on, but should instead use what they have learned to drive future information protection actions," he said.
Post-incident reviews can also help organisations calculate exactly how much it cost to deal with the attack and then compare that with the cost of technical controls needed to block similar attacks.
On average, antivirus software detects only 46% of malware Identify weaknesses in your cyber defences
In making this comparison, organisations also need to factor in the reality that in most cases technical controls have to make up for human susceptibility.
According to Kraus, some organisations have begun to accept that their users will be used as a means to attack the organisation.
"If you know users will click on malicious links, it is better to be prepared and have the technical controls in place that will be able to mitigate the impact," he said.
Organisations should also use threat research as a way of identifying potential weaknesses in their defences.
Read more from the 2012 (ISC)2 Security Congress New malware age demands new security approach, says threat researcher (ISC)2 launches programme to attract young security professionals Government should stop reinventing the IT security wheel, says (ISC)2 Skills shortage means no unemployment in IT security, says (ISC)2 Two UK students chosen for (ISC)2 IT security scholarships CISOs key to transition to cloud, says (ISC)2
Kraus said research has revealed that, on average, antivirus (AV) software detects only 46% of malware, further highlighting a common theme at the conference that AV alone does not offer much protection.
More than half the malware is going undetected, which he said means that organisations which depend on AV are vulnerable to literally tens of millions of types of malware.
While targeted attacks are a reality and should factor into every organisation's information security strategy, Kraus said none could afford to forget about mass distribution attacks that are typically email-based.
These still account for the majority of attacks faced by organisations, he said, with only 8% of attacks seen by Solutionary being classified as targeted attacks, including advanced persistent attacks (APTs).
