Cisco’s Cyber Security 2017 Report Reveals Big Dangers

Cisco recently released its 2017 Annual Cyber Security Report. In the wake of recent major exploits including ransomware in Petya and Nyetya flavors, it still makes for timely and occasionally scary reading. The “Major Findings” (page 5) offers some particularly sobering analysis. In particular, it says some important things about the cyber security landscape. Here’s what you need to know:

• Security software/tool hodgepodge: Cisco found that most companies have five or more security vendors, and an equal number of security products, in their environments. On the people side of this equation, Cisco found that 55 percent of security professionals use at least six security vendors, 45 percent use one to five vendors, and 65 percent use six or more vendors. This speaks to a serious Balkanization of the security product/vendor spaces, with all the work that goes into finding, selecting, learning and maintaining numerous solutions from an equally large population of vendors/suppliers.

• What’s holding security adoptions back? Cisco says the leading constraints on adopting “advanced security products and solutions” boils down to budget (35 percent of respondents), product compatibility (28 percent), certification (25 percent) and talent (25 percent). These are all serious problems, but most experts in and out of the security field are probably inclined to identify the skills/talent gap as the most serious in this group, despite landing in last place, numerically.
• Security alerts going uninvestigated: Survey respondents reported that they investigate just more than half – 56 percent — of security alerts received on any given day. Of the alerts that do get followed up, half (28 percent of the total) are found to represent real security threats or attacks. Of those “real issues,” less than half (46 percent) get re-mediated. Another shocking statistic: almost half of security operations managers see more than five thousand (5,000) security alerts every day.

• Cloud poses security risks: Respondents report that more than one-quarter (27 percent) of connected third-party cloud applications (e.g. DropBox, Google Drive, and so forth) introduced by employees into enterprise IT environments pose what Cisco labels as “high security risk[s].” Clearly, organizations are grappling with security consequences attendant to always-on, always-accessible access into the cloud through apps and applications.

• Adware everywhere? Cisco’s investigation into 130 organizations across a broad swath of vertical markets determined that three-quarters of them (75 percent) had been affected by adware infections. These kinds of infections can double down on security risks because they often facilitate or enable other malware to enter enterprise networks and systems and open the doors to further attacks.

• Spam is king in the email world: The report says that 13 of every 20 (65 percent) email messages is spam, with message-happy botnets accounting for much of the growth in global spam volume. Of all spam, between 8 and 10 percent is classifiable as malicious, with an increasing number of malicious email attachments using an ever-increasing range of file types exacerbating that situation.

• Waiting for the other shoe: Though organizations yet to experience a security breach may believe themselves safe, such confidence may be overly optimistic. Nearly half (49 percent) of security professionals report that their organizations have not yet faced public or regulatory scrutiny that follows in the wake of known security breaches.

Things are weird in the security space, and continue getting weirder. But where there’s room for concern and a need for diligent activity, there is also opportunity. Security remains a booming growth area for IT professionals, with all kinds of interesting and high-paying positions going begging for talented and knowledgeable people to fill them. If you’re inclined to put your thumb in the dike, I’d urge you to dash on into our companion story Best Information Security Certifications wherein we identify the top contenders for that designation, and numerous other also-ran credentials (nearly) equal of consideration and pursuit.