Most Internet Devices Run Known Security Vulnerabilities

Regulators and investigators expect businesses to manage risk exposure in 2016, but executives are not sure they’re up to the challenge, according to the Cisco 2016 Annual Security Report, released Tuesday. Vulnerabilities from aging infrastructure, SMBs in the enterprise supply chain, and a disconnect between DNS experts and security teams are contributing to difficulties in adapting to the current threat landscape.

While 92 percent of executives surveyed said that regulators and investigators expect enterprises to manage cybersecurity risks, only 45 percent are confident in the effectiveness of their security posture. The report notes increasing transparency and board-level concern, which are likely to benefit enterprise security in the long run, but as of the report seem mostly to have increased anxiety. Some enterprise security cynics will say this anxiety is long overdue.

Inadequate infrastructure upkeep is a growing issue, as Cisco says that 92 percent of Internet devices are running known vulnerabilities, 31 percent are no longer supported or maintained by the vendor, and the number of organizations that consider their security infrastructure up-to-date declined by 10 percent from 2014 to 2015.

The report also found that attackers are using compromised servers, such as those used by content and social media platforms, to launch attacks. WordPress domains used by criminals increased 221 percent from February to October 2015. Ransomware attacks alone now generate $34 million in annual criminal proceeds. Breaches from malicious browser extensions have affected 85 percent of organizations, and over 90 percent of “known bad” malware uses DNS as a key capability, according to the report.

“Security is resiliency by design, privacy in mind, and trust transparently seen,” said John N. Stewart, senior vice president, chief security and trust officer, Cisco. “With IoT and digitization taking hold in every business, technology capability must be built, bought, and operated with each of these elements in mind. We cannot create more technical debt. Instead, we must meet the challenge head on today.”

The report is not all bad news. While the number of SMBs using web security dropped over 10 percent from 2014 to 2015, SMB security outsourcing leaped from 14 to 23 percent, providing more robust security for those who do implement it. The outsourcing trend also extends to all sizes of enterprises. Despite lengthy estimates for breach detection time, Cisco reduced its own detection time from 46 to 17.5 hours since its 2015 Cisco Midyear Security Report, the company says.