Uninvestigated security threats can swamp an organization

As business impacts of breaches grow, transparency and defenses start to improve

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Busi­ness­es are pour­ing more and more mon­ey into cyber­se­cu­ri­ty, mak­ing it the fastest-grow­ing IT mar­ket seg­ment. But despite the heavy invest­ment, secu­ri­ty pro­fes­sion­als’ con­fi­dence is wan­ing in their abil­i­ty to defend against cyber crim­i­nals, accord­ing to a new­ly released report by Cis­co.

Glob­al cyber­se­cu­ri­ty spend­ing has near­ly dou­bled in the past five years—growing from $63.7 bil­lion in 2011 to an esti­mat­ed $122.45 bil­lion in 2016, accord­ing to research firm Mar­ket and Market.

Relat­ed: Ran­somware ram­page takes aim at busi­ness targets

Yet Cis­co found that bud­get con­straints, incom­pat­i­ble ven­dor prod­ucts, and short­age of tal­ent are cre­at­ing major bar­ri­ers for orga­ni­za­tions. So much so, that 44 per­cent of secu­ri­ty alerts go uninvestigated.

About a third of inves­ti­gat­ed alerts turn out to be legitimate—but only 46 per­cent of those legit­i­mate alerts are actu­al­ly being remediated.

It’s a twofer,” says Franc Artes, archi­tect with Cisco’s Secu­ri­ty Busi­ness Group. “It’s not just [say­ing], ‘We didn’t get to a bunch of stuff,’ but also, ‘A big major­i­ty of what we did review, we didn’t get to remediate.’”

The 2017 Annu­al Secu­ri­ty Report released Jan. 31, includ­ed a poll of near­ly 3,000 chief secu­ri­ty offi­cers and secu­ri­ty oper­a­tions lead­ers. Among them, bud­get con­straints and com­pat­i­bil­i­ty issues were the top two obsta­cles to security—the same as in last year’s report.

Cis­co found that 65 per­cent of respon­dents used more than five cyber­se­cu­ri­ty prod­ucts and 55 per­cent used more than five ven­dors. Some orga­ni­za­tions were using 50 or more (of each).

These dis­parate tech­nolo­gies often don’t inte­grate with one anoth­er. Adding to the chal­lenge, Artes says, is a lack of “human beings to fol­low up on every­thing that needs to be done.”

The result is a sys­tem based on triage—and Artes says this is “like not look­ing at the 44 per­cent of the vic­tims com­ing into the triage.”

Lack of trained per­son­nel is huge,” he says. “We have a major prob­lem with find­ing peo­ple who are capa­ble of doing all this work, espe­cial­ly when you start to con­sid­er the fact that we have so many dif­fer­ent ven­dors and so many dif­fer­ent prod­ucts next to a het­ero­ge­neous network.”

Impacts felt across entire enterprise

Cis­co found that only 58 per­cent of the secu­ri­ty lead­ers described their secu­ri­ty infra­struc­ture as very up-to-date. That num­ber has been on the decline in the past cou­ple of years—from 59 per­cent in the 2016 report and 64 per­cent in the 2015 version.

This wan­ing con­fi­dence is per­haps not sur­pris­ing, con­sid­er­ing the broad ram­i­fi­ca­tions of data breach­es. And there were plen­ty of breach­es to be had last year: The Iden­ti­ty Theft Resource Cen­ter logged a record 1,093 breach­es. That’s a 40 per­cent increase from 2015.

Artes says that in the past, orga­ni­za­tions looked at a breach impact most­ly from the per­spec­tive of oper­a­tional loss­es, includ­ing loss of rev­enue and cost of reme­di­a­tion. Now, they’re tak­ing a more holis­tic view.

Besides oper­a­tions (named by 36 per­cent of respon­dents) and finances (30 per­cent), the oth­er top aspects most like­ly to be affect­ed by a breach that was pub­licly dis­closed included:

• Brand rep­u­ta­tion (26 percent)

• Cus­tomer reten­tion (26 percent)

• Intel­lec­tu­al prop­er­ty (24 percent)

• Busi­ness part­ner rela­tion­ships (22 percent)

• Sup­pli­er rela­tion­ships (20 percent)

• Legal engage­ments (20 percent)

• Reg­u­la­to­ry scruti­ny (19 percent)

It’s worth not­ing that half of the orga­ni­za­tions whose breach became pub­lic made the dis­clo­sure vol­un­tar­i­ly. Artes says com­pa­nies are becom­ing more trans­par­ent, part­ly because the stig­ma that came with a breach is gone. The like­li­hood of a breach is now an accept­ed reality.

[There is] an under­stand­ing that the defend­ers have to be right 100 per­cent of the time, and the attack­er needs to be right only once,” he says.

The good news is that breaches—whether those expe­ri­enced first-hand or those dis­closed by oth­er companies—are dri­ving defense improve­ments, Artes says. The top two are the sep­a­ra­tion of the secu­ri­ty team from the IT team, and an increased aware­ness among employees.

The busi­ness impact is becom­ing more and more appar­ent, and part of that is (due) to the transparency—we’re speak­ing about it, we’re rec­og­niz­ing it, we’re address­ing it,” Artes says.

One take­away from the Cis­co report is that things aren’t going to get any less com­pli­cat­ed for secu­ri­ty prac­ti­tion­ers. On one hand is the con­tin­u­ous­ly expand­ing attack sur­face, con­sid­er­ing the pro­ject­ed growth in IP traf­fic, mobile devices and cloud use. On the oth­er is the evo­lu­tion of cyber criminals.

They’re real­iz­ing … they have to evolve faster and faster because the indus­try itself is get­ting faster and faster,” Artes says.

Among Cisco’s con­clu­sions is that “defend­ers must focus their resources on reduc­ing their adver­saries’ oper­a­tional space” and use automa­tion as part of their strategy.

Human exper­tise can­not be thrown at this and actu­al­ly solve it,” said Cis­co Chief Secu­ri­ty and Trust Offi­cer John N. Stew­art in a video overview of the report. “You need inte­grat­ed secu­ri­ty archi­tec­ture with near real-time insight, auto­mat­ed detec­tion … and auto­mat­ed defense.”

More sto­ries relat­ed to ransomware:
Evolv­ing ran­somware tar­gets schools, local gov­ern­ment agencies
Under­stand­ing ran­somware helps orga­ni­za­tions devise solutions

Your mon­ey or your data: Ran­somware attacks leave every­one vulnerable