Less than half of polled respondents confident in their company’s IT security: Cisco

Less than half (45%) of organizations worldwide are confident in their security posture, as today’s cyber attackers launch more sophisticated, bold and resilient campaigns, according to global IT company Cisco.

The Cisco 2016 Annual Security Report, released on Tuesday, examined threat intelligence, cybersecurity trends, industry insights and responses from Cisco’s 2015 Security Capabilities Benchmark Study, which included 2,432 respondent profiles (15% in banking and insurance).

While executives may be uncertain about their security strength, almost all (92%) of them agree that regulators and investors will expect companies to manage cybersecurity risk exposure.

However, less than half of businesses surveyed were confident in their ability to determine the scope of a network compromise and to remediate damage. “But, an overwhelming majority of finance and line-of-business executives agreed that regulators and investors expect companies to provide greater transparency on future cybersecurity risk,” Cisco said in a release. “This points to security as a growing boardroom concern.”

Businesses are up against security challenges that inhibit their ability to detect, mitigate and recover from common and professional cyberattacks, the report found, adding that aging infrastructure and outdated organizational structure and practices are putting them at risk. Consider that between 2014 and 2015, the number of organizations that said their security infrastructure was up-to-date dropped by 10%. The survey also discovered that 92% of 115,000 surveyed Cisco devices on the Internet were running software with known vulnerabilities, with 31% of all devices analyzed no longer supported or maintained by the vendor. In insurance, the average software age was more than five years old.

Not surprisingly, small and midsize businesses (SMBs) use fewer defences that larger enterprises. For example, 48% of SMBs said in 2015 that they used web security, compared to 59% in 2014. And 29% said they used patching and configuration tools last year, compared with 39% in 2014. “Such weaknesses can place SMBs’ enterprise customers at risk, since attackers may more easily breach SMB networks,” the report said.

Other survey findings include:

• Online criminals have shifted to compromised servers, such as those for WordPress, to support their attacks, leveraging social media platforms for nefarious purposes. For example, the number of WordPress domains used by criminals grew 221% between February and October 2015;

• While often viewed by security teams as a low-level threat, malicious browser extensions have been a potential source of major data leaks, affecting more than 85% of organizations. Adware, malvertising and even common websites or obituary columns have led to breaches for those who do not regularly update their software;

• Nearly 92% of “known bad” malware was found to use DNS as a key capability; and

• The industry estimate for time to detection of a cybercrime is an “unacceptable” 100 to 200 days.