Even after armed with defense tools, CISOs say successful cyberattacks are ‘inevitable’: New study
In Cisco’s new Cybersecurity Readiness Index, only 15% of respondents to the global survey said their organizations have implemented security programs mature enough to defend against current cybersecurity risks.
While most enterprises have some collection of cybersecurity measures deployed, a full 82% of the 6,700 chief information security officers and other cybersecurity leaders in the 27 global markets Cisco examined, said they expect to be successfully attacked in coming months.
Some quick takeaways from the study:
- 60% of respondents reported a cybersecurity incident in the last 12 months.
- 71% said these incidents cost them, on average, $100,000.
- 41% said these incidents cost them $500,000 and more.
Cybersecurity as platform, not collection of individual solutions
Tom Gillis, senior vice president for Cisco Security, said enterprises are in the midst of a strategic shift away from security through collections of individual software security tools and cloud solutions for securing assets. Rather, he asserted, they are adopting broad coverage across vulnerabilities from single vendors integrated under one platform — an integrated suite of solutions versus an a la carte approach.
SEE: Why more is not necessarily better when it comes to security solutions
“For decades, new problems in security have arisen and small companies come up with innovative solutions to address these. But buying individual best-in-breed solutions from new vendors puts the burden on the customer to ingest all of these solutions and integrate them,” Gillis said.
“If you talk to a mature IT organization, they can easily have 150 security tools,” he added. “Are you really getting your value out of that?”
He said only 40% of security features are used continuously, while the rest are “in the single digits.”
Cisco’s study shows that 85% of security leaders plan to increase their cybersecurity budget by at least 10% over the next 12 months — but not on a piecemeal collection of tools.
“The majority of people have been spending money on security solutions for decades and putting very good technologies and innovative solutions to work,” said Gillis. “But if you ask them if we are winning or losing, most say we are definitely not winning.”
SEE: Business email attacks went way up last year.
Protecting identity, devices, networks, applications and data
Cisco based the index on respondents’ perception of their organization’s security stance around identity, devices, network, application workloads and data, and the extent to which their organizations have solutions in place for each of these. Based on responses detailing how far along their organizations were in achieving security goals, they placed organizations into four security-phase categories: beginner, formative, progressive and mature.
The largest proportion of companies, 47%, reported they are in the formative state of security systems deployment. Thirty percent said they were in the more advanced progressive state. Eight percent characterized themselves as “beginners,” and 15% “mature.”
Figure A
Where organizations see themselves in 5 key areas
Identity management
A quarter of all respondents ranked Identity Management (IDM) as the No. 1 risk for cyberattacks. Ninety-five percent said they had implemented some kind of identity management solution, with identity access management the most popular. Two-thirds said they have deployed IAM solutions.
Of those who have not yet rolled out identity solutions, 69% said they have no intention to do so. For those that do intend to roll out identity solutions, most said it would take from between one to five years to do so (Figure B).
Figure B
Gillis explained that it is not remarkable that organizations require a comparatively long stretch of time to deploy identity management solutions.
“For example, legacy systems need to be tested, and sometimes upgraded in order to ensure that they will work with the new IDM solution,” he said. “Organizations rolling out completely new features will often take their time to test these systems. Those upgrading their existing IDM to something more robust will take less time to do so. It would be nice if things like IDM could be slapped in and switched on, but security is never that simple.”
Protecting devices
Cisco said three-quarters of respondents reported their organizations use enhanced antivirus solutions for device protection. Sixty-five percent said they deploy host controls, which allow a computer to communicate and process information between itself and the device or the network to protect the computer’s operating system. Fifty-six percent of companies said they are either at the very start of their journey or only a short way down the path.
Protecting networks
In Cisco’s survey:
- 69% of respondents said their organizations use firewalls with built-in intrusion prevention systems.
- 61% reported deploying network segmentation policies based on identity ranking.
- 60% said they use network behavior anomaly detection tools.
- 31% mentioned that they protect their networks with packet capture and sensor tools.
But, according to the report, the scale of deployment is not keeping pace with attacks.
Among companies that have adopted firewalls with built-in intrusion protection, only 56% have fully deployed them and only 64% of companies have fully deployed network segmentation policies.
Among the companies that are still deploying network security solutions, 50% said they are planning to roll them out within the next 12 months.
“Some will roll out faster than others, but when you factor in budgeting, test deployments, additional testing, and additional rollout, that can take time; but getting things right from the beginning is worth it, and that is especially true for security. It should always be baked in, not bolted on, so that means starting from the ground and working up,” said Gillis.
Securing application workloads
Cisco’s study also reported that demand for low latency, always-on remote experiences is driving companies to accelerate the pace of digital application adoption. Almost all respondents to Cisco’s survey said they have deployed security solutions for applications:
- 66% of respondents said they use a host software firewalls, with 67% of these having fully deployed them.
- 64% said they use endpoint protection.
- 55% said they use application-centric protection tools.
- 34% deploy data loss prevention software.
Protecting data
Data theft is on the rise, but respondents to Cisco’s study say they are covered, with most saying they deploy data encryption and data caching technologies. Also:
- 55% of executives said they use identification and classification with data leak protection
- 41% said they deploy host IPS and protection tools.
- However, 94% have either fully or partially deployed encryption tools.
Companies in Brazil, Pacific Rim report readiness to deal with security
In the Americas, Brazil stood out as the country where companies are most ready to tackle today’s security challenges, with 26% of companies self-reporting that they are in a mature stage of preparedness.
Meanwhile, companies in Canada (9% in mature stage), the U.S. (13% in mature stage) and Mexico (12% in mature stage) demonstrate low levels of readiness compared to the global average.
In Asia-Pacific, organizations in Indonesia (39% in mature stage), the Philippines, and Thailand (27% each in mature stage), top the chart both regionally and globally. On the other hand, companies in richer countries like Japan (5% in mature stage) and South Korea (7% in mature stage) are at the bottom in security preparedness.
Figure C
SEE: Beware the perils lurking in the IT assets you don’t see (TechRepublic)
Gillis said it’s important to note that companies self-reported for the study and that the variance points to the key issue with mature security frameworks: companies in some South American or South Asian nations, for example, are young, started building out platforms more recently, and therefore are better positioned to deploy security solutions across their assets and infrastructure.
The study found that in Europe, in contrast, less than 10% of companies are deemed mature enough to tackle today’s cybersecurity issues. The UK and Germany are two exceptions, with 17% and 11% companies in a mature state of readiness respectively.
Mid-sized companies most prepared for cyberattacks
The Cisco Index reported that mid-sized firms of between 250 and 1,000 employees are best prepared, with over 19% of such firms reporting they are at a mature stage of overall readiness compared to 17% of larger businesses with 1,000 or more employees.
The study said smaller organizations, those that fall below what it calls the “security poverty line” are the least well-prepared, with just 10% being mature in their readiness. The Cisco Index also noted that these smaller enterprises, which often serve as vendors to larger organizations, are therefore a de facto target for lateral attacks on their much larger clients, which otherwise have strong security practices in place.