Only a minority, 45 percent of organizations worldwide are confident in their security posture as cyber attackers launch more sophisticated, bold and resilient campaigns. That’s according to the Cisco 2016 Annual Security Report.
While executives may be uncertain about their security strength, 92 percent of them agree that regulators and investors will expect companies to manage cybersecurity risk exposure. These leaders are increasing measures to secure their organisations’ future, particularly as they digitize their operations.
The report covers the challenges businesses face due to the rapid advances of attackers. Hackers increasingly tap into legitimate resources to launch effective campaigns for profit-gain. Direct attacks by cybercriminals, leveraging ransomware alone, put $34m a year per campaign into their hands. These miscreants continue to operate unconstrained by regulatory barriers, according to the report.
John N Stewart, senior vice president, chief security and trust officer, Cisco, says: “Security is resiliency by design, privacy in mind, and trust transparently seen. With IoT and digitization taking hold in every business, technology capability must be built, bought, and operated with each of these elements in mind. We cannot create more technical debt. Instead, we must meet the challenge head on today.”
Businesses are up against security challenges that inhibit their ability to detect, mitigate and recover from common and professional cyberattacks. Ageing infrastructure and outdated organizational structure and practices are putting them at risk.
The study calls for greater collaboration and investment in the processes, technologies and people to protect against industrialised adversaries.
Findings
Less than half of businesses surveyed were confident in their ability to determine the scope of a network compromise and to remediate damage. But, an overwhelming majority of finance and line-of-business executives agreed that regulators and investors expect companies to provide greater transparency on future cybersecurity risk. This points to security as a growing boardroom concern.
Between 2014 and 2015, the number of organizations that said their security infrastructure was up-to-date dropped by 10 percent. The survey discovered that 92 percent of Internet devices are running known vulnerabilities. Thirty-one percent of all devices analysed are no longer supported or maintained by the vendor.
As more enterprises look closely at their supply chain and small business partnerships, they are finding that these organisations use fewer threat defense tools and processes. For example, from 2014 to 2015 the number of SMBs that used web security dropped more than 10 per cent. This indicates potential risk to enterprises due to structural weaknesses, according to the company.
As part of a trend to address the talent shortage, enterprises of all sizes are realizing the value of outsourcing services to balance their security portfolios. This includes consulting, security auditing and incident response. SMBs, which often lack resources for an effective security posture, are improving their security approach, in part, by outsourcing, which is up to 23 percent in 2015 over 14 percent the previous year.
Online criminals have shifted to compromised servers, such as those for WordPress, to support their attacks, using social media platforms for nefarious purposes. For example, the number of WordPress domains used by criminals grew 221 percent between February and October 2015.
While often viewed by security teams as a low-level threat, malicious browser extensions have been a potential source of major data leaks, affecting more than 85 per cent of organizations. Adware, malvertising, and even common websites or obituary columns have led to breaches for those who do not regularly update their software.
Nearly 92 percent of “known bad” malware was found to use DNS as a key capability. This is frequently a security “blind spot” as security teams and DNS experts typically work in different IT groups within a company and don’t interact frequently.
The industry estimate for time to detection of a cybercrime is an unacceptable 100 to 200 days, the IT firm says. Cisco adds that it has further reduced this figure from 46 to 17.5 hours, since the 2015 Cisco Midyear Security Report was released. Shrinking the time to detection has been shown to minimise cyberattack damage, lowering risk and impact to customers and infrastructures worldwide. With organizations increasingly adopting digitization strategies for their operations, the combined volume of data, devices, sensors, and services are creating new needs for transparency, trustworthiness, and accountability for customers.
Comments
Stephen Love, Security Practice Lead – EMEA, Insight says: “Cisco’s 2016 Annual Security Report finding that less than half of organisations worldwide are confident in their security posture, is somewhat worrying. As cyber-attacks are becoming increasingly sophisticated, businesses are realising the ever-growing need to protect their data assets, but are unclear as to how. Couple this with a growing expectation for full transparency of cybersecurity risks, organisations begin to lose confidence in their abilities to detect, moderate and recuperate from an attack. It is time to face the inevitable situation; businesses are highly likely to face a data breach in the near future. Every organisation – no matter how large or small – must have a robust security approach to its data management. It is crucial then that businesses assess just what portion of their data is most valuable and needs closer security attention. Not all data in an organisation would be deemed ‘sensitive.’ By carrying out a thorough assessment as to what data is uniquely distinct to the organisation, then discovering in what ways this data is at risk, and putting in place security measures accordingly, every organisation can feel confident that they have the best defensive measures possible in place. If a breach were to take place for instance, and the sensitive data ends up in the wrong hands, it will be rendered useless.”
David Kennerley, Threat Research Manager, Webroot said: “For too long have smaller companies adopted the attitude that they are too small or too “low value” to be targeted, and for too long has cyber-security taken a back seat. As this research shows, the outsourced approach is increasingly a viable alternative to the “go at it alone” status quo. It opens the door to a world of experienced MSPs, the best of which offer comprehensive, lightweight security solutions that are affordable, easy-to-install and provide real-time protection against modern threats. These small businesses are often targeted by advanced and persistent threats because of their partnerships with bigger fish. Without addressing these security capabilities SMBs will find it increasingly difficult to work with larger enterprises. It’s encouraging, however, that SMBs are broadly conscious of their cybersecurity failings. Our research shows that overall, 81 per cent of SMBs plan on increasing their annual IT security budget for 2016, by an average of 22pc.”
And Darren Anstee, Chief Security Technologist, Arbor Networks, said: “This report serves as yet another confirmation that attackers are becoming ever more sophisticated and, as a result, it is becoming ever more difficult to identify and stop their activities before they reach their goal. Although detection technologies, threat intelligence sharing and IR processes are improving in many cases, many businesses are still not able to prevent a breach, something that can have huge legal and financial consequences – as well as a significant loss of customer trust, especially if disclosure is not handled well.
“Fundamentally, attackers are moving more quickly than the technologies that we deploy to counter them. Further improvements in intelligence sharing, and better resourcing of IR teams will help but we need to make sure we are focusing our resources on the attacks that have the highest risk – and this isn’t necessarily just those that pop up as ‘red’ in our SIEM. To do this our incident responders need to spend more of their time in the right parts of the IR process, and we can drive this by giving them the right tools. If we can speed up the triage and investigative aspects of IR then we can obviously respond more quickly, but we can also free resources for more proactive exploration of suspicious activities that may otherwise have gone un-investigated. By giving IR teams unfettered access to network and threat activity over time, via workflows aligned with the IR process, we can allow existing resources to do a better job at reducing our risk of compromise.”
