CISCO recently surveyed more than 3,000 security leaders in 18 countries, asking them how they were implementing cyber security best practices to protect themselves. CISCO’s 2019 CISO Benchmark Report summarizes how companies are preparing for cyber threats, how they are architecting their solutions and vendor management programs, and how they’re preparing for (and responding to) breaches.

While CISCO only surveyed organizations with 250 or more employees, their report contains insights that are relevant to small businesses too.

The State of Cyber Security in 2019

Comparing this year’s results with those from last year, CISCO found:

  • A growing reluctance to fully embrace automation in cyber security technology
  • A decrease in the average cost to contain a breach
  • Increasing reliance on training, risk management, and cyber security technologies
  • Increasing confidence and investment in cloud technologies

Preparing for Cyber Threats – Knowledge, Resources, Collaboration

CISCO noted gaps in self-reported knowledge among security leaders. Twenty percent of respondents rated themselves as “less than very knowledgeable” about the cyber security landscape, exposing a need for more training.

Given that only half of respondents thought they were doing well at training employees in security best practices, companies – and especially small businesses – might be best served by hiring an IT consultant, or a consulting firm, to perform this training. 

The CISO Benchmark report examined how cyber security budgets were being set, finding that the most popular method (used by 47% of respondents) relied on building upon cyber security objectives. 46% also relied on the previous year’s budget, while 42% used the percent-of-revenue approach. 

The report found that working together pays off. Fifty-nine percent of respondents who reported high levels of collaboration between networking and security teams also reported the lowest breach costs – under $100K. 

Architecture – Too Many Vendors, Too Many Alerts

Respondents generally expressed that they felt overwhelmed by the sheer amount of cyber security alerts they received. They traced this (at least partially) to the number of vendors in their master file.   

Seventy-nine percent of respondents find it at least somewhat challenging to manage alerts from all these vendors, which may explain why companies are trending toward fewer vendors and vendors who offer multipoint solutions. From 2018 to 2019, the number of respondents reporting more than 20 vendors dropped from 21% to 14%.

Even with fewer vendors, companies struggle to review and address their alerts. While the group reporting the lowest number of daily alerts (<10,000) is growing, the response rate to alerts is also decreasing, from 55.6% in 2018 to 50.7% in 2019.

While that’s a problem, so too is the fact that the number of alerts that were actually legitimate was down as well, from 34% to 24.1%. Of those legitimate alerts, 42.8% were remediated, down from 50.5% last year. 

While a thinner vendor master file means fewer alerts and more time to address those alerts, a more complete solution for alert management is needed for 2019 and beyond. 

Breaches: Causes, Costs, and Controls

Among CISOs, the top concern in defending their infrastructure in 2019 is user behavior. For three years straight, around 57% of CISOs have been concerned about users undermining cyber security controls by clicking malicious links on websites or in emails, and infecting their machines and networks with malware, spyware, ransomware, or worse. 

For the first time, this year’s report asked about the specific cyber-attacks seen by CISOs. Nearly half of the respondents (49%) reported seeing malware attacks, followed by malicious spam (42%) and phishing (38%). CISOs also reported seeing spyware attacks (36%), data breaches (33%), ransomware (27%), mobile malware (23%), improper file sharing (23%), stolen credentials (19%), and fileless malware (19%). 

The prevalence of malware and spam makes it clear that email remains a point of vulnerability for most companies. It’s worth noting that file sharing and the theft of credentials, both top-ten attack types, show that some threats are internal rather than external.

Criminals don’t necessarily need to break into your system if they can find another way to coax their way in instead. Companies need strong authentication controls and practices to keep the criminals out while letting their employees work efficiently.

What Types of Attacks Resulted in a Loss of Data?

Of the types of attacks respondents had seen, twenty percent said that malware had resulted in a loss of data, more than any other type of attack. This was followed by data breach (19%), spyware (14%), phishing (13%), ransomware (13%), and malicious spam (13%). 

How Much Does a Data Breach Cost?

Data breaches come with all sorts of impacts, both tangible and intangible. Between 2018 and 2019, the percentage of respondents fearing loss of customers from a breach grew from 26% to 33%. 32% also noted that they were concerned about the potential damage to their reputation. Damage to operations remained the top concern for 36% of CISOs.

In terms of monetary losses, 31% of respondents said that their biggest breach in the past year resulted in $100k in damages or less. 20% said that a breach had caused damages between $100k and $500k. Just 1% had witnessed a data breach in the past year with damages exceeding $10 million.

Protecting Against Breaches

CISCO asked IT security leaders about the resources they put into place to protect their enterprises. The largest group cited regular reviews of their security practices to ensure their accuracy, adequacy, and effectiveness. Nearly as many said they relied on well-managed technical security controls, and the integration of security into procedures for developing and maintaining systems and applications.

When asked about approaches they had implemented to address security risks, half of respondents cited up-to-date threat detection and blocking techniques, while 49% cited regular reviews of network connection activity or the routine and systematic investigation of security incidents.

Large percentages of CISOs also credited regular reviews of security practices (48%), effective integration of security technologies with the company’s goals and business capabilities (47%), effective integration of security technologies among each other (46%), and the collection and review of feedback on security practices (46%) as worthy cyber security control practices.

Finding the Balance

Security leaders toe a delicate line. On the one hand, they must protect their organizations from internal and external threats. On the other, however, they must not get in the way of the business or impede their workers’ efficiency.

It can be hard to strike the perfect balance. The solution contains a healthy dose of preventative controls, like end-user training, but also some detective controls, like smart alerts and alert remediation tracking.

For any business, whether large or small, it can be difficult to get the resources needed to mitigate the risk of breaches. This is why IT consulting as an industry has emerged as a viable option for businesses looking to increase their data security.