Cisco’s 2017 Cybersecurity Report: Things Are Much Worse

It is getting so that when someone introduces a new cybersecurity report to me these days I end up wanting to dig a hole in a remote location and pull it in after me.

The newest Cisco report is especially scary. It effectively says that threats are accelerating at an increasing rate and that firms still aren’t taking them seriously enough. Companies’ biggest exposure is the massive acceleration of cloud services, which have rendered many existing security methods obsolete.

Even some previous good news has been reversed. For instance, spam, which had nearly died out a few years back, is now up to 65 percent of email, according to the report, and 8 percent of it is malicious. Suddenly fax machines and snail mail don’t seem that bad, do they?

By the way, there were a couple pieces of good news in the report. Apparently attacks on clients and the network is dropping off; unfortunately, the hackers are going after servers far more aggressively.

Let’s cover the state of security this week.

The Ugly Parts of the Cisco Cybersecurity Report

If you wade through the document, you’ll see a massive increase in a variety of attacks and a far greater focus on going where the value is. Attacks are now more about extortion or theft of assets that can be sold than about causing aggravation. Attackers haven’t forgotten clients, but their efforts are less about getting what is on the PC and more about stealing passwords and IDs that can be used to access data repositories or gain access to trusted ways (often email) to deliver malware payloads. This means that any email with an executable attachment is a potential breach waiting to happen and that compromised websites remain risks.

Attackers appear to be speeding up their efforts sharply, including quickly identifying malware that is no longer working and updating it. So while time-to-detection has dropped by more than half, there is little reason to celebrate because attack speed and the effectiveness of attacks is increasing even more quickly.

Two stats are particularly concerning: More than two-thirds of those surveyed perceive their security tools are very to extremely effective. But 40 percent of the alerts these tools deliver are never investigated. Of the 56 percent that are investigated, more than one in four is a legitimate attack, and more than half of these are not remediated.

And 7 percent of the firms surveyed don’t get alerts, which I’m sure makes them feel safer but suggests to me that their security solution isn’t working at all. In the current environment, not getting any alerts should be a massive red flag that the alerting system is broken.

Impacts aren’t trivial. Respondents indicated that breaches damaged operations, finance, customer retention and even their brands. In addition, a whopping 65 percent of the organizations responding indicated they were offline anywhere from 1 to 8 hours as a result of the attack and that 30 percent of their systems were adversely impacted.

Heart of the Cybersecurity Problem

These stats have remained largely flat year-over-year. So why aren’t these issues being adequately mitigated?

At the heart of the problem are budget (35 percent), compatibility issues (28 percent), lack of trained personnel (25 percent and getting worse) and certification requirements (25 percent). In addition, the complexity of firms’ security solutions has reached nearly unmanageable levels with the majority of firms using between 6 and 50 security vendors and 6 to 50 different security products.

Some Good News in IT Security

There actually is some progress in more than a third of the organizations surveyed. Following best practices, 38 percent of organizations have separated cybersecurity from IT. Thirty-eight percent have increased security awareness training. Thirty-seven percent have increased focus on both risk analysis and mitigation. Thirty-seven percent have increased investment in security defense technologies and solutions. And 37 percent have increased investment in training of security staff.

Of course, if you do the math, that means 60 percent aren’t doing most of these things, and that suggests a real problem.

IT Security Recommendations

The report concludes with some natural recommendations. The majority of firms need to step up and take this topic far more seriously than they currently appear to be doing. Even if you are taking cybersecurity seriously, a supplier or vendor may not be, and that will likely be how you get breached.

For those of you that don’t take cybersecurity seriously, you likely didn’t read this far. For those who did, realize you not only need to make sure you are secure, but also that anyone accessing your systems is secure as well.

I still recall one of the biggest security showcases we did at IBM. We made the firm as secure as possible, but it was breached because the paid attacker got in through a trusted link by way of poorly secured vendor. If you aren’t auditing your vendors’ security preparedness and limiting their access, you are likely just as likely to suffer a breach as the folks that aren’t taking all of this seriously.

Good luck! Now I’m going to go dig that hole…

Photo courtesy of Shutterstock.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020