Data breach costs exceed 20% of revenue

Cyber attackers find security gaps

Respondents also revealed that their security departments were increasingly complex environments, with 65% of organisations using six to more than 50 security products, increasing the potential for security gaps.

As the sophistication of cyber attacks continues to rise at an unprecedented pace, the report said defenders were struggling to improve threat defence to match this growth and ensure they have controls in place to cover the entire network.

The UK sits at the bottom of the list of countries that are effectively managing this balance, with Mexico and India storming ahead.

The report shows that cyber criminals are exploiting those gaps through a resurgence of “classic” attack methods such as adware and email spam, which has returned to levels last seen in 2010.

Spam accounts for nearly two-thirds of email, with 8-10% being malicious. Global spam volume is rising, often spread by large and thriving botnets, the report said.

Email is security weak spot

Dan Sloshberg, cyber resiliency expert at Mimecast, said email is an organisation’s weakest link. “It’s no surprise that spam, about a tenth of which is malicious, is at its highest level since 2010.

“Cyber criminals haven’t rediscovered this vulnerability, they’ve simply improved their tactics. Email accounts for 91% of all cyber attacks, from botnet-sent spam through to carefully curated messages targeting and impersonating senior executives,” he said.

Considering that nearly all organisational information passes through inboxes at some point, Sloshberg said the threat to personal and intellectual data is significant once a hacker gains access.

“The stakes are even higher with the growth of impersonation and ransomware attacks, which, if successful, are costing organisations more than ever, so a proactive approach to cyber resilience is essential,” he said.

Close down security loopholes

The annual report tracks progress in reducing “time to detection” (TTD) – the window of time between a compromise and the detection of a threat – and according to the latest report, Cisco has reduced the TTD from a median of 14 hours in early 2016 to as low as six hours in the second half of 2016. The data is based on opt-in telemetry gathered from Cisco security products deployed worldwide.

“A new metric – the ‘time to evolve’ [TTE] – looked at how quickly threat actors changed their attacks to mask their identity,” said David Ulevitch, vice-president and general manager of the security business at Cisco.

“With TTD, TTE and other measures gleaned from report findings, and working with organisations to automate and integrate their threat defence, we can better help them minimise financial and operational risk and grow their business,” he said.

In 2016, hacking became more “corporate,” the report said, with some malvertising campaigns, for example, using brokers to act as middle managers, masking malicious activity.

Digitisation danger

Changes in the technology landscape, led by digitisation, are creating opportunities for cyber criminals, the report said. Nearly a third of employee-introduced, third-party cloud applications that were intended to open up new business opportunities and increase efficiencies were categorised as high risk and created significant security concerns.

And while attackers continue to use time-tested techniques, they are also employing new approaches that mirror the “middle management” structure of their corporate targets. Old-fashioned adware ‑ software that downloads advertising without user permission – continued to prove successful, infecting 75% of organisations investigated.

Although there was a drop in the use of large exploit kits such as Angler, Nuclear and Neutrino that were target by law enforcement in 2016, the report said smaller players rushed in to fill the gap.

The report revealed that just 56% of security alerts are investigated and less than half of legitimate alerts remediated, noting that while defenders are confident in their tools, they are battling complexity and manpower challenges, leaving gaps of time and space for attackers to use their advantage.

“In 2017, cyber is business, and business is cyber – that requires a different conversation, and very different outcomes,” said John Stewart, senior vice-president, chief security and trust officer at Cisco.

“Relentless improvement is required and that should be measured via efficacy, cost and well-managed risk. The 2017 Annual Cybersecurity Report demonstrates, and I hope justifies, answers to our struggles on budget, personnel, innovation and architecture,” he said.

Measure security effectiveness

Darren Anstee, chief security technologist at Arbor Networks, said the Cisco report highlights the “relentless evolution” of cyber crime and shifting attack methodologies being used to target organisations.

“The report once again reminds us how important it is to be prepared and have the right processes and people in place. Cyber criminals continue to be innovative, and technology alone cannot protect us.

“The report highlights that businesses cannot investigate the alerts they receive today, so simply deploying more detection technologies that generate additional alerts won’t help. It is becoming increasingly important for organisations to invest in security technologies and processes based on their ability to maximise the effectiveness of their security teams, allowing them to investigate quickly and focus on what matters,” he said.

According to Anstee, the goal of security is to reduce business risk, which is where value can be demonstrated.

“To do this, organisations need to implement metrics that allow them to quantify whether investments have a positive or negative effect on overall risk. Getting this part right can make it easier to get investment, and can help business to move the security of their organisations in the right direction,” he said.