At the end of January, Cisco Systems released their annual Cybersecurity Report (ACR) to the world. This report has become something of a tradition for Cisco, with this being the 10 th year running, and it’s always a good resource to keep your finger on the pulse of the rapidly changing field of cybersecurity. Even Cisco’s direct competitors keep an eye on the report as it’s more industry-focused and thought leadership versus shilling for Cisco sales.
The report is drawn from a survey of approximately 3,000 chief security officers (CSOs) and security operations leaders, from 13 countries, and monitors challenges and opportunities for security teams across shifting attack modes. It’s a pretty lengthy report (which you can read in its entirety here), but I wanted to go ahead and break down some of the key findings from the 2017.
20% had a significant breach
“In 2017, cyber is business, and business is cyber,” according to John. N. Stewart (Cisco Systems Senior VP and Chief Security and Trust Officer with Cisco). It might seem obvious, but it’s important to note the more digital traffic, the greater the attack surface—and global IP traffic is expected to triple by 2020. Over one third of organizations surveyed that reported a breach in the last year, said that they experienced significant customer, opportunity, and revenue loss—more than 20%. That’s a pretty big blow for any company, and it looks like it’s not being taken lightly. The report says that 90% of those organizations are striving to improve their threat defense technologies, through a handful of different strategies: separating IT and security functions, increasing security awareness training for employees, and implementing risk mitigation techniques.
In my humble opinion, they should be looking at their architecture first and determine the exposure. They should also start using the biometric security that’s available now and stop using passwords. To start.
The three main areas cited by CSOs as their primary barriers to advancement are budget constraints, poor compatibility of systems, and a lack of trained talent. Another key emerging issue is that security departments are getting more not less complex—65% of organizations use anywhere from 6-50 different security products, which leaves a lot of room open for effectiveness gaps.
Time to detection down…. at least for Cisco customers
Another factor that the ACR measures is the “time to detection”, or TDD, which is the window of time between a compromise and the detection of a threat. The median TDD in early 2016 was 14 hours, but by the end of this past year Cisco had lowered it in some cases to as low as 6 hours (based on telemetry gathered from Cisco products that organizations can opt-in to). It’s nice to see Cisco making such big strides in this area—the quicker a threat is detected, the quicker it can be mitigated. This is Cisco-centric, of course, but hey, they’re paying for the research.
Cyber threats affected the bottom line… Big time
As mentioned earlier, cyber threats can have extremely costly consequences, affecting operations and finance systems, to customer retention and brand reputation. 22% of compromised organizations lost valuable customers (40% lost more than 20% of their customer base). 29% lost revenue (38% lost more than 20% of revenue), and 23% lost business opportunities (42% of which losing 20%). These are big hits, and they have organizations scrambling to make up their shortcomings and improve strategy.
The Changing Face of Threats
A key finding from 2016 is that hacking has become more “corporate”— according to Cisco’s press release on the report, cybercriminals are beginning to use new approaches that “mirror the “middle management” structure of their corporate targets.” Attackers are starting to employ certain brokers, acting as middle managers, that mask threatening activity and allow hackers to move with greater agility and avoid detection. Significant risks are also originating from certain 3 rd party cloud-based apps introduced by employees—while introduced with the well-intentioned purpose of increasing efficiencies and opportunities, around 27% of these apps were categorized as high-risk security concerns.
And what of the more traditional cyber threats? Adware, the perennial pest, continues to be pervasive, infecting 75% of organizations investigated. Spam email is also back in style—a reported 65% of email is spam, and from those emails, approximately 8% is malicious. On the plus side, there has been a reduction in the usage of large exploit kits (Angler, Nuclear, Neutrino, etc.) due to their owners being taken down, but smaller players have already begun to fill the gap.
One of the biggest finding that caught my eye was that servers, not clients or the network are becoming the biggest area opportunity. Vulnerabilities were on the rise 34% versus a decline in client (-8%) and the network (-20%). I expect that we will see enterprise vendors and cloud vendors jumping on this very, very quickly.
According to the report, a mere 56% of security alerts are actually investigated, and less than half were solved—mostly due to a lack of manpower and increasing complexity. Those numbers are concerning, and drawing from the information gathered in the ASC, Cisco has issued several advisories on the topic to try and minimize these risks. The number one issue, is that security has to start from the top down, and be made a business priority on the executive level—this will hopefully do something to address the funding (or lack thereof) issue. Cisco Systems is also recommending that organizations measure operational discipline– review practices, and patch and control access points to networks. They are also advising for organizations to establish clear metrics to routinely test, validate, and improve security effectiveness, and recommending making integration and automation high on the list of assessment criteria.
The Cisco Systems ACS really is a great resource for anyone concerned with IT who wants a 10,000 feet view of a constantly evolving landscape. The attack surface is growing, and businesses are feeling the impact of these increased opportunities for cybercriminals in their pocketbooks. It’s important to keep an eye on the new emerging strategies (the middle-management approach, for one), but also to keep fighting the more traditional threats of spam and adware—Cisco’s advisements, if followed, should do much to combat all these threats.
First and foremost, I believe enterprises must take an architectural approach to security to ensure they aren’t just filling holes in the hull of the boat. Sure, everyone says they do this, but are they really making dramatically different decisions based on security, but are they really? One great example is enterprises bellyaching about identity protection and not implementing multi-factor biometric authentication. How about guarding your server’s BIOS like you do with your client PCs? It’s time the industry starts making these real changes before it’s too late.