Cisco released its 2017 Annual Cybersecurity Report (ACR) on Jan. 31 providing insights into the latest trends from security statistics gathered over the course of 2016. Among the key findings in the 110-page report is that data breaches are having a financial impact on the bottom line of victimized organizations.
"There is no shortage of opportunities for hackers to go after enterprises and services providers," John Stewart, Senior Vice President and Chief Security and Trust Officer at Cisco, told eWEEK.
Stewart explained that the 2017 ACR is based on Cisco's own threat data as well as 3,000 interviews with IT executives. Among the high level findings in the report is an understanding of how impactful data breaches are on business activities.
"Almost a quarter (23 percent) of businesses said they lost business opportunities because of a hack or a breach," Stewart commented. "Almost a third (29 percent) said that they lost revenue as the result of a security incident."
Additionally, the survey found that 22 percent of respondents indicated that their organizations lost customers after a data security incident. Other security reports have also noted a correlation between data breach incidents and financial loses. The 2016 IBM and Ponemon Cost of a Data Breach report estimated the average cost of a data breach to be $4 million.
Looking at specific forms of attacks, the Cisco report found that email spam volumes grew significantly in 2016, with 65 percent of all email being reported as spam. Only 8 percent of all spam however was considered to be malicious by Cisco.
Attackers are also increasingly taking aim at server-based vulnerabilities rather than client end points. Cisco reported a 34 percent year-over-year increase in server related vulnerabilities while client-side vulnerabilities actually declined by 8 percent.
"With the proliferation of the cloud and cloud applications, we see a big focus on servers, not just Software-as-a-Service, but the operating systems that power the cloud too," Franc Artes, Security Business Group Architect at Cisco, told eWEEK.
The open-source MongoDB database, which was recently attacked with a ransomware campaign, is one such server side application that has been a target of hackers in recent months. Middleware application servers are also increasingly being found vulnerable. Oracle for example patched 270 vulnerabilities in its January Critical Patch Update. Stewart emphasized that Cisco is not calling out any one specific vendor as being a leading cause of server related vulnerabilities.
Among the key metrics that Cisco tracks is the Time To Detection (TTD) across its' own products. TTD is an attempt to quantify how long it takes to discover a new security issue that could impact a product or service. In October 2016, Artes said that Cisco's TTD was 6.05 hours. More interestingly, though, Cisco's 2017 report introduces a new metric called Time To Evolve (TTE), which is an attempt to measure how quickly attackers evolve tactics and malware to evade defender detection. The report found that different forms of malware had various TTE numbers ranging from 20 hours for the Krytpik Remote Access Trojan to several days for other forms of malware.
One of the surprising findings in the report is that among the surveyed organizations, 54 percent of security alerts were not remediated. Artes noted that there are a number of obstacles preventing organizations from advancing their security with 35 percent of respondents identifying budget as a key concern and 25 percent noting that a lack of trained personnel is a problem.
While breaches tend to be thought of only in a negative context, 38 percent of Cisco's survey respondents indicated that a breach was the driver for implementing improvements in security policies and technologies.
Overall, Stewart found several reasons in the report to be optimistic about the future of IT security. For one, he's encouraged that there is now an understanding of the business impact of security incidents, which in turn helps to drive improvements in an organization.
Looking forward, Stewart is also hopeful that in 2017 the state of security for organizations could improve.
"The thing that I think we will see change is that more customers will talk about security in business terms and will be measuring efficacy rather than just how much they spend," Stewart said. "Candidly, asking how much money is spent on IT security is the wrong question."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.