Even large corporations are often less prepared for online attacks such as those on Target and Neiman Marcus because top executives don't understand the risks well enough to make effective decisions about where to spend money to combat them, according to a new report. Sixty-eight percent of companies in the U.S. and U.K. have been attacked online in some fashion during the past 24 months, but half have no measurement tools to see how effective their security response is, and 80 percent don't get a regular chance to update top executives about the risks the company faces, according to a survey released Jan. 21 by Ponemon Institute and security software developer Lancope, Inc. Of the 674 IT and IT security pros Ponemon interviewed in the U.S. and U.K., 68 percent said they'd had a significant security incident during the past two years; 46 percent said their security is such that it is very likely they'll have another major incident within six months. Most organizations can respond within hours to an attack, but take an average of a month to fully investigate the attack, fix the problems that allowed it and restore all services, according to the report. Even when they do restore services and try to reassure everyone involved, fifty percent of respondents have no idea about the effectiveness of their work because they don't have the tools or operational metrics to gauge their efforts. The big problem, according to Larry Ponemon, chairman of Ponemon Institute, is that top corporate executives don't understand which IT security risks are serious, what can be done about them and often even lack the up-to-date information that might help make those decisions. When 80 percent of IT security people say they don't get the chance to communicate with top managers about potential threats or attacks, it doesn't just show a divide between IT and the business side, it shows top managers are keeping themselves in the dark about digital threats. As a result, they often make the wrong choices about what kinds of security policies or tools would be genuinely useful – opting for firewalls or high-cost external monitoring services, for example, rather than less flashy tools that show where the weak spots exist. Eighty percent of respondents preferred tools that analyze audit trails and packet captures to help identify the source of breaches or attacks, for example, rather than intrusion-detection, anti-virus, or other applications. More than half of respondents said their budget for incident response – the which pays for the actual emergency response to a real incident – is less than 10 percent of their total IT security budget and hasn't increased in more than two years. "The findings of our research suggest that companies are not always making the right investments in incident response," Ponemon wrote in a prepared statement. "As a result, they may not be as prepared as they should be to respond to security incidents. One recommendation is for organizations to elevate the importance of incident response and make it a critical component of their overall business strategy." Malicious attacks, not negligence or system glitches, are the primary cause of data breaches, according to a Ponemon/Symantec study from May 2013. Having a formal incident-response plan and tools in place ready to deal with attacks can cut the cost of a data breach by as much as $42 per compromised record, according to the report. Appointing a CIOS and beefing up security efforts overall can save another $67 per record, which put the average cost of a malicious data breach during 2013 at $277 per compromised record. Image: Shutterstock.com/ deepspacedave