Corporate confidence in security falters

Less than half of organisations worldwide believe their security is robust enough to resist the increasingly sophisticated campaigns launched by attackers, reports Cisco.

In its ‘2016 Annual Security Report’, which examines threat intelligence and cybersecurity trends, the California-based multinational tech group finds that only 45% of the businesses surveyed were “confident in their security posture”.

While executives appear uncertain about their security strength, 92% of respondents to Cisco’s survey agreed that regulators and investors will expect companies to manage cybersecurity risk exposure. These leaders are increasing measures to secure their organisations’ future, particularly as they digitise their operations, the group comments.

The report highlights the challenges businesses face due to the rapid advancements of attackers. Hackers increasingly tap into legitimate resources to launch effective campaigns for profit-gain. Additionally, direct attacks by cybercriminals, leveraging ransomware alone, put US$34m a year per campaign into their hands. “These miscreants continue to operate unconstrained by regulatory barriers,” the report’s authors comment.

Businesses are up against security challenges that inhibit their ability to detect, mitigate and recover from common and professional cyberattacks. Ageing infrastructure and outdated organisational structure and practices are putting them at risk.

Cisco’s study sounds a global call-to-arms for greater collaboration and investment in the processes, technologies and people to protect against industrialised adversaries.

Research extracts

Among the main findings of the 2016 report are the following:

Decreasing confidence, increasing transparency: Less than half of businesses surveyed were confident in their ability to determine the scope of a network compromise and to remediate damage. But, an overwhelming majority of finance and line-of-business executives agreed that regulators and investors expect companies to provide greater transparency on future cybersecurity risk. This points to security as a growing boardroom concern.
Ageing infrastructure: Between 2014 and 2015, the number of organisations that said their security infrastructure was up-to-date fell by 10%. The survey found that 92% of Internet devices are running known vulnerabilities; 31% of all devices analysed are no longer supported or maintained by the vendor.
SMEs as a potential weak link: As more businesses look closely at their supply chain and small business partnerships, they are finding that these organisations use fewer threat defence tools and processes. For example, from 2014 to 2015 the number of small to medium enterprises (SMEs) that used web security dropped more than 10%. This indicates potential risk to businesses due to structural weaknesses.
Outsourcing on the rise: As part of a trend to address the talent shortage, businesses of all sizes are realising the value of outsourcing services to balance their security portfolios. This includes consulting, security auditing and incident response. SMEs, which often lack resources for an effective security posture, are improving their security approach, in part, by outsourcing, which rose to 23% in 2015 from 14% the previous year.
Shifting server activity: Online criminals have shifted to compromised servers, such as those for WordPress, to support their attacks, leveraging social media platforms for nefarious purposes. For example, the number of WordPress domains used by criminals rose by 221% between February and October 2015.
Browser-based data leakage: While often viewed by security teams as a low-level threat, malicious browser extensions have been a potential source of major data leaks, affecting more than 85% of organisations. Adware, malvertising, and even common websites or obituary columns have led to breaches for those who do not regularly update their software.
The DNS blind spot: Nearly 92% of “known bad” malware was found to use domain name system (DNS) as a key capability. This is frequently a security “blind spot” as security teams and DNS experts typically work in different IT groups within a company and don’t interact frequently.
Time to detection faster: The industry estimate for time to detection of a cybercrime is an unacceptable 100 to 200 days. Cisco says that it has further reduced this figure from 46 to 17.5 hours, since its 2015 Midyear Security Report was released. Shrinking the time to detection has been shown to minimise cyberattack damage, lowering risk and impact to customers and infrastructures worldwide.
Trust matters: With organisations increasingly adopting digitisation strategies for their operations, the combined volume of data, devices, sensors, and services are creating new needs for transparency, trustworthiness, and accountability for customers.


Related reading