Shrinking budgets, lack of adequately trained security personnel, and system complexity have introduced serious vulnerabilities in the security posture of many organizations, according to the report, according to Franc Artes, Security Business Group architect for Cisco.
“It is these gaps which cyber criminals are exploiting with the use of classic attack methods such as adware and email spam,” said Artes. “Botnets are causing spam volumes to rise globally.”
Spam accounts for nearly two-thirds (65 per cent) of email with eight to 10 per cent cited as malicious, according to the report.
Email spam began being a problem in the early 1990s and grew exponentially to account for as much as 85 per cent of all email sent out globally at around 2010.
“Incidence of spamming and their use as attack vectors experienced a massive drop about seven years ago,” Artes said.
He said cyber criminals typically shift tactics when they find that a method of attack has become less potent. It is not uncharacteristic of cyber criminals, however, to go back to a previously used method if they deem it effective.
Cisco surveyed nearly 3,000 chief security officers and security operation leaders from 13 countries as part of its ACR.
CSOs cited budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security postures said Artes.
Leaders also revealed that their security departments are increasingly complex environments with 65 per cent of organizations using from six to more than 50 security products, increasing the potential for security effectiveness gaps.
Cisco’s ACR is a very useful material for ICT security professionals because it provides information about the major security concerns facing organizations from various sectors. It also sheds some light on how these businesses are dealing with these issues and measures the effectiveness of security practices they employ.
The high cost of security breaches
The 2017 ACR found that over one-third of organizations that experienced a breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20 per cent.
Ninety per cent of these organizations is improving threat defense technologies and processes after attacks by separating IT and security functions (38 per cent), increasing security awareness training for employees (38 per cent), and implementing risk mitigation techniques (37 per cent).
More than 50 per cent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention.
- Twenty-two per cent of breached organizations lost customers — 40 per cent of them lost more than 20 per cent of their customer base.
- Twenty-nine per cent lost revenue, with 38 per cent of that group losing more than 20 per cent of revenue.
- Twenty-three per cent of breached organizations lost business opportunities, with 42 per cent of them losing more than 20 per cent.
Hackers follow new business models
Attackers continue to use time-tested techniques, but also employ “new approaches that mirror the middle management structure of their corporate targets,” according to ACR researchers.
- New attack methods model corporate hierarchies- Certain malvertising campaigns employed brokers (or “gates”) that act as middle managers, masking malicious activity. Adversaries can then move with greater speed, maintain their operational space, and evade detection.
- Cloud opportunity and risk – Twenty-seven per cent of employee-introduced, third-party cloud applications, intended to open up new business opportunities and increase efficiencies, were categorized as high risk and created significant security concerns.
- Old-fashioned adware ‑ software that downloads advertising without user permission – continued to prove successful, infecting 75 per cent of organizations investigated.
Cisco, however, fond there was a drop in the use of large exploit kits such as Angler, Nuclear and Neutrino, whose owners were brought down in 2016.
Don’t hold your breath, new small players are rushing in the fill the gap, said Cisco.
How to deal with threats
Cisco advises these steps to prevent, detect, and mitigate threats and minimize risk:
Make security a business priority – Executive leadership must own and evangelize security and fund it as a priority.
Measure operational discipline – Review security practices, patch, and control access points to network systems, applications, functions, and data.
Test security effectiveness – Establish clear metrics. Use them to validate and improve security practices.
In a nutshell, organizations need to focus on beefing up their security teams’ capability, increase security awareness among personnel, ensure system interoperability, and work on reducing the time to detect and stop attacks, said Artes.