It is getting so that when someone introduces a new cybersecurity report to me these days I end up wanting to dig a hole in a remote location and pull it in after me.
The newest Cisco report is especially scary. It effectively says that threats are accelerating at an increasing rate and that firms still aren’t taking them seriously enough. Companies' biggest exposure is the massive acceleration of cloud services, which have rendered many existing security methods obsolete.
Even some previous good news has been reversed. For instance, spam, which had nearly died out a few years back, is now up to 65 percent of email, according to the report, and 8 percent of it is malicious. Suddenly fax machines and snail mail don’t seem that bad, do they?
By the way, there were a couple pieces of good news in the report. Apparently attacks on clients and the network is dropping off; unfortunately, the hackers are going after servers far more aggressively.
Let’s cover the state of security this week.
If you wade through the document, you’ll see a massive increase in a variety of attacks and a far greater focus on going where the value is. Attacks are now more about extortion or theft of assets that can be sold than about causing aggravation. Attackers haven’t forgotten clients, but their efforts are less about getting what is on the PC and more about stealing passwords and IDs that can be used to access data repositories or gain access to trusted ways (often email) to deliver malware payloads. This means that any email with an executable attachment is a potential breach waiting to happen and that compromised websites remain risks.
Attackers appear to be speeding up their efforts sharply, including quickly identifying malware that is no longer working and updating it. So while time-to-detection has dropped by more than half, there is little reason to celebrate because attack speed and the effectiveness of attacks is increasing even more quickly.
Two stats are particularly concerning: More than two-thirds of those surveyed perceive their security tools are very to extremely effective. But 40 percent of the alerts these tools deliver are never investigated. Of the 56 percent that are investigated, more than one in four is a legitimate attack, and more than half of these are not remediated.
And 7 percent of the firms surveyed don’t get alerts, which I’m sure makes them feel safer but suggests to me that their security solution isn’t working at all. In the current environment, not getting any alerts should be a massive red flag that the alerting system is broken.
Impacts aren’t trivial. Respondents indicated that breaches damaged operations, finance, customer retention and even their brands. In addition, a whopping 65 percent of the organizations responding indicated they were offline anywhere from 1 to 8 hours as a result of the attack and that 30 percent of their systems were adversely impacted.
These stats have remained largely flat year-over-year. So why aren't these issues being adequately mitigated?
At the heart of the problem are budget (35 percent), compatibility issues (28 percent), lack of trained personnel (25 percent and getting worse) and certification requirements (25 percent). In addition, the complexity of firms' security solutions has reached nearly unmanageable levels with the majority of firms using between 6 and 50 security vendors and 6 to 50 different security products.
There actually is some progress in more than a third of the organizations surveyed. Following best practices, 38 percent of organizations have separated cybersecurity from IT. Thirty-eight percent have increased security awareness training. Thirty-seven percent have increased focus on both risk analysis and mitigation. Thirty-seven percent have increased investment in security defense technologies and solutions. And 37 percent have increased investment in training of security staff.
Of course, if you do the math, that means 60 percent aren’t doing most of these things, and that suggests a real problem.
The report concludes with some natural recommendations. The majority of firms need to step up and take this topic far more seriously than they currently appear to be doing. Even if you are taking cybersecurity seriously, a supplier or vendor may not be, and that will likely be how you get breached.
For those of you that don’t take cybersecurity seriously, you likely didn’t read this far. For those who did, realize you not only need to make sure you are secure, but also that anyone accessing your systems is secure as well.
I still recall one of the biggest security showcases we did at IBM. We made the firm as secure as possible, but it was breached because the paid attacker got in through a trusted link by way of poorly secured vendor. If you aren’t auditing your vendors' security preparedness and limiting their access, you are likely just as likely to suffer a breach as the folks that aren’t taking all of this seriously.
Good luck! Now I’m going to go dig that hole…
Photo courtesy of Shutterstock.