Published on the 20/01/2016 | Written by Donovan Jackson

Just 45 percent of organisations confident in security posture; attackers launching ‘more sophisticated, bold and resilient campaigns’…

Be afraid, be very afraid, for we live in a terrifically insecure world, confirmed by the release of yet another report, this one Cisco’s 2016 Annual Security Research.

In a chat with iStart, head of security at Cisco New Zealand John-Paul Sikking said what has changed is that the outrage, damage to public personas and share prices which were once a big motivator in driving security posture has given way to a more sedate reality where most organisations accept that they have moved on from ‘we might get attacked’ to ‘we probably will get attacked or are in a constant state of compromise’.

“Breaches are seen as commonplace and don’t have the impact that they used to. It’s not that public an issue any longer; even those organisations that have massive losses of credit card data, we see the share price dip, come back and they’re operating as normal.”

The thinking, he said, has gone from ‘the sky is falling’, to making the organisation a ‘hard target’ where identification is prioritized, as well as making sure the tools to resolve a breach are available.

Topping the list of Cisco’s findings are:

• A decline in defender confidence – only 45 percent of organisations worldwide are confident in their security posture
• Aging infrastructure – 92 percent of internet devices are running known vulnerabilities
• SMEs as a potential weak link – from 2014 to 2015 the number of SMEs that used web security dropped more than 10 percent
• Online criminals are shifting server activity to social media platforms – the number of WordPress domains used by criminals grew 221 percent between February and October 2015
• The industry estimate for time to detection of a cybercrime is an unacceptable 100 to 200 days that less than half of companies around the world are confident in their security posture, Be that as it may, for most companies, information security and the risk and even occurrence of breaches is nothing more than business as usual.

Hardly surprising, too, as automation is something that attackers are putting to good use just like many other industries are.

Does the figure of 45 percent of companies feeling confident in their posture surprise him? Sikking said that as a ‘white hat’ hacker, he never failed to compromise any organisation while conducting penetration testing, agreeing that ‘full protection’ simply isn’t possible. “However, I’d like to see that proportion [of organisations confident in their security] at around 90 percent. That’s confidence in being able to deal with what we call advanced persistent threats; it’s more about detecting and doing something about it, than keeping everything out.”

A complete copy of the 2016 Cisco Annual Security Research report is available.