With the the RSA Conference 2017 just a week away, cybersecurity surveys are showing up everywhere, including Cisco’s 10th study, 2017 Annual Cybersecurity Report. However, while the networking giant wants to paint a more positive picture, my big takeaway is that the bad guys are winning. There are a number of positive developments in the survey — with input from 3,000 CISOs and SecOps from 15 countries, as well as telemetry data — but the key findings are, if not surprising, at the very least cause for increased concern.
The key findings Cisco focused on were:
-over one-third of organizations that experienced a breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20%; and,
-90% of these organizations are improving threat defense technologies and processes after attacks by separating IT and security functions (38%), increasing security awareness training for employees (38%), and implementing risk mitigation techniques (37%).
The Cisco findings that concerned me were:
-just 56% of security alerts are investigated and less than half of legitimate alerts remediated;
-more than 50% of organizations faced public scrutiny after a security breach; operations and finance systems were the most affected, followed by brand reputation and customer retention;
-for organizations that experienced an attack, the effect was substantial: 22% of breached organizations lost customers — 40% of them lost more than 20% of their customer base; 29% lost revenue, with 38% percent of that group losing more than 20% of revenue; and, 23% lost business opportunities, with 42% percent of them losing more than 20%.
Cisco is also touting (justifiably) that it has reduced the ‘time to detection’, the window of time between a compromise and the detection of a new threat, from a median of 14 hours in early 2016 to as low as six hours in the last half of the year. That’s good, but hardly good enough: while the industry average for TTD is 201 days (with a range of 20 to 569 days), in almost all breaches (93%), it took attackers minutes or less to compromise systems, and data exfiltration occurred within minutes in 28% of the cases.
These issues are not a new story, said Cisco’s Security Business Group Architect, Franc Artes. He told IT Trends & Analysis that there are ongoing issues around budgets, trained personnel and the complexity of security environments, “but at the end of the day it’s really a human issue. We’re leaving a lot on the cutting room floor.”
People are a big problem when it comes to CybSec. They both cause most of the security vulnerabilities — 55% of all attacks were carried out by either malicious insiders or inadvertent actors, and over 95% of breaches caused by insiders was caused by human error — and there is a huge shortage of skilled cybersecurity workers in the U.S. (currently estimated at up to 300,000 or more) and abroad (1.5 million by 2020).
What’s really scary is that the situation is expected to get a lot more complicated, according to CybSec guru Jon Oltsik, who believes 2017 will be remembered as the year where cybersecurity analytics and operations encountered a wave of unprecedented scale. The Senior Principal Analyst and the founder of Enterprise Strategy Group’s cybersecurity service, recently noted that security scale, which has soared from thousands to millions of events per second (EPS) in the past few years, will hit an exponential curve driven by such things as: cloud utilization; IoT; network growth; and digital transformation applications.
‘These and other parallel trends are driving massive growth in the amount of data we need to collect, process, analyze, and store for cybersecurity analysis and operations. Oh, and more data, analysis, and decision making also makes cybersecurity far more complex.’
As if people issues, skill shortages and increasing complexity — coupled with a rapidly evolving and expanding threatscape — aren’t enough, there’s also the problem that too many still don’t understand the scope of the challenge they are facing. Many organizations continue to maintain the same “good enough” security attitude of the past, said Oltsik. ‘These organizations have no one else to blame when they are inevitably breached but unfortunately, we the people must deal with the consequences of their irresponsible actions.’
According to another recent survey, global cybersecurity confidence fell six points over 2016 to earn an overall score of 70% — a ‘C-’ on the report card. I think that’s overly generous: you’re either secure, or you aren’t, and everything I’ve seen, including Cisco’s findings, appear to warrant an ‘F’!
DISCLAIMER: Cisco is in my investment portfolio.