Cisco recently published its tenth annual data breach report, and some of the findings should be cause for concern by people who own, run, or work for businesses.
The firm's 2017 edition of its annual cybersecurity report entitled "Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches And The Actions That Organizations Are Taking," provides insights based on threat intelligence gathered by Cisco's security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs) and other security operations leaders from businesses in 13 countries.
Cisco noted that, according to its research, in 2016:
- More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. (If you own or work for a business, take note: data breaches have repercussions.)
- For organizations that suffered a breach, the effect was substantial: 22% of breached organizations lost customers -- 40% of them lost more than a fifth of their customer base. 29% lost revenue, with 38% of that group losing more than a fifth of their revenue. 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities. (The repercussions are quite costly.)
- CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security postures. Security leaders also reveal that their security departments are increasingly complex environments with nearly two thirds of organizations using six or more security products - some with even more than 50! - increasing the potential for security effectiveness gaps and mistakes. (Complexity and a lack of skilled professionals are putting businesses at risk.)
- Criminals are leveraging "classic" attack mechanisms - such as adware and email spam - in an effort to easily exploit the gaps that such complexity can create. (Criminals often don't need to spend resources crafting and executing advanced attacks - simple attacks can do the job.)
- Spam is now at a level not seen since 2010, and accounts for nearly two-thirds of all email -- with eight to 10 percent of it being outright malicious. Global spam volume is rising, often spread by large and thriving botnets. (Spam is a serious problem that has not gone away - because it works!)
- Old-fashioned adware (that is, software that downloads advertising without users' permission, continues to prove successful, infecting 75 percent of organizations polled. (...as is adware.)
Just 56 percent of security alerts are investigated and less than half of legitimate alerts actually lead to problems being corrected. Defenders, while confident in their tools, are undermined by complexity and manpower challenges; criminals are exploiting the inability of organizations to handle all important security matters in a timely fashion. (Information overload is causing a "Boy Who Cried Wolf" situation in some environments, and too many real alerts are overwhelming information-security professionals in others.)
Twenty-seven percent of employee-introduced, third-party cloud applications, intended to open up new business opportunities and increase efficiencies, were categorized as high risk and created significant security concerns. (Inadequately vetted applications can create risks.)
- On the positive side, 90% of organizations that experienced a breach in 2016 are improving threat defense technologies and processes after attacks by separating IT and security functions (38 percent), increasing security awareness training for employees (38 percent), and implementing risk mitigation techniques (37 percent). (Thankfully, firms that have suffered breaches are investing in preventing future problems.)
Discussing the report, John N. Stewart, Cisco's Senior Vice President and Chief Security and Trust Officer, noted that "In 2017, cyber is business, and business is cyber -that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk. The 2017 Annual Cybersecurity Report demonstrates, and I hope justifies, answers to our struggles on budget, personnel, innovation and architecture."
Here are comments from several other industry insiders on the report.
- David Vergara, Head of Global Product Marketing, VASCO Data Security:
"This report makes several things abundantly clear. The first is that cybercriminal's weapon of choice is not always the sophisticated attack; generally, they prefer the path of least resistance, so security laggards beware. Second is the hard cost of a breach, through lost customers, revenue and business, is rising dramatically. This cost should drive more pointed security resource discussions and prop up related business cases."
- Brad Bussie, Director of Product Management, STEALTHbits Technologies:
"Statistics from this study, and others, show an alarming trend that asset risk is no longer being calculated correctly. Losing customers, revenue, and opportunities can be mapped directly back to breached systems. It would be interesting to see how much it would have cost to protect the systems in question, or to change to process that was exploited and compare it to what was lost because of the breach."
- Don Duncan, Security Engineer, NuData Security:
"Cisco's findings that 22% of breached organizations lost customers and a significant number of these companies lost 20% of their entire customer base is a sobering data point for any organization when considering whether to disclose a breach publically. Regulations may be coming that will force disclosures. Until that happens, with so much at risk it's no wonder that breach numbers are vastly underestimated."
- Brian Laing, VP of Business Development and Products, Lastline:
"The Cisco data breach report highlights the continually evolving techniques used by criminals to exfiltrate sensitive corporate data, and the resulting impact on business performance. Enterprises must continually expand and enhance their security capabilities to keep up with new techniques, schemes, and technology continually introduced by organized crime."