A new report from Cisco Systems Inc., the global information technology company reveals that very few organizations in North America, Latin America, The Middle East and Asia Pacific are prepared to deal with the evolving cyberthreats of the 21st century.
Did you know that more than 2,800 publicly disclosed data breaches happened in 2023 involving over 8.2 billion records stolen, that 43% of organizations responding to a cybersecurity survey reported breaches in 2023 and that the average cost per organization amounted to US $300,000 with 12% exceeding $1 million?
In a newswire release on March 27, 2024, covering Canada, the report notes that a mere 1% of organizations in Canada have reached a “Mature” level of readiness against modern cybersecurity risks. That is less than the Cybersecurity Readiness Index average of 3% which is woefully low.
We live in an era defined by hyperconnectivity with companies around the world being targeted by cybercriminals. Techniques range from phishing and ransomware to supply chain and social engineering attacks. While building defences against these attacks, organizations are struggling to defend themselves, slowed down by their own overly complex security postures dominated by multiple-point solutions. Distributed working environments spread across multiple locations, devices, applications and users compound the threat. Adding to the security threat are advancements in artificial intelligence (AI) like Generative AI that is empowering malicious actors to deploy increasingly sophisticated attacks.
Despite all of the above 80% of organizations, 78% in Canada state they are moderately very confident in their ability to defend against a cyberattack with their current infrastructure. The report sees that companies may have misplaced confidence in their ability to navigate the threat landscape. Stated Jeetu Patel, Executive Vice President and General Manager of Security and Collaboration at Cisco, “We cannot underestimate the threat posed by our overconfidence. Today’s organizations need to prioritize investments in integrated platforms and lean into AI to operate at machine scale and finally tip the scales in the favour of defenders.”
The overconfidence expressed may have something to do with the fact that 91% of organizations surveyed indicated increasing cybersecurity budgets and expect this to continue into the foreseeable future.
Companies that showed the highest level of readiness which Cisco calls mature had more than 1,000 employees. Organizations with between 250 and 1,000 were not far behind.
What the 2024 Index Shows
The Index was compiled from a double-blind survey of 8,136 private sector security and business leaders across 30 global markets. It assesses cybersecurity preparedness in five areas with scoring weighted by percentages seen in brackets:
- Identity Intelligence (25%),
- Network Resilience (25%),
- Machine Trustworthiness (20%),
- Cloud Reinforcement (15%),
- AI Fortification (15%).
A score of 70% or higher was rated mature, 41 to 69% was described as progressive meaning the organization was deploying cybersecurity solutions and performing above average, 11 to 40% was designated formative with some level of cybersecurity readiness, and 10% or less was defined as beginners.
At Cisco Canada, Robert Barton, Chief Technology Officer, noted “The threats we face today will not be the same ones we face tomorrow so Canadian businesses need to evolve to keep up. The material, financial and reputational consequences can have a serious impact on organizations so cybersecurity readiness must be a business priority, not just a technological one.” The Canadian findings are disturbing with 78% of organizations defined as beginners or in the formative stages of developing cybersecurity readiness.
Other key global findings:
- 63% of organizations said they expected a cybersecurity incident to disrupt them in the next 12 to 24 months.
- 72% admitted that multiple-point networking solutions were making it more difficult to detect, respond and recover from cybersecurity incidents with 62% stating they had deployed ten or more point solutions in security stacks, and 17% indicating they had deployed 30 or more.
- 78% said employees were accessing company platforms from unmanaged devices with 33% spending 20% of their work time logged in from these devices.
- 20% reported that employees hopped between at least six networks within a work week.
Cybersecurity Investments Increasing
Organizations are aware of cybersecurity challenges with the survey reporting that 40% have plans to upgrade IT infrastructure in the next 12 to 24 months, a marked increase from 25% a year ago. Organizations plan to upgrade existing solutions with 50% stating an intention to invest in AI-based technology.
Companies are invested with 96% expecting to increase their cybersecurity budget this year, and 78% increasing the amount by 10% or more. These investments include the adoption of innovative security measures and a security platform approach, a strengthening of network resilience, the use of generative AI, and ramping up recruitment to bridge the cybersecurity skills gap.
Organizations see external actors (62%) as a bigger threat than internal ones (31%). This too is a marked shift from 2023 when the two were seen as almost equal. One of the key drivers of this turnaround could be the fact that cybersecurity threats from external actors are becoming increasingly sophisticated.
The graphic appearing at the top of this article shows the weighting of cybersecurity attacks organizations are experiencing with malware and phishing the highest. Because the way we work has changed as a result of the COVID-19 pandemic and its fallout, hybrid work presents new threat opportunities with 82% of organizations citing remote logins as a heightened threat with main concerns coming from employees doing remote work using unsecured Wi-Fi networks and unmanaged devices. Credential theft is seen by 36% of organizations as their top cybersecurity challenge with 99% of them implementing identity management solutions including identity behaviour analytics.
Deployment of AI is seen both as a potential external threat, but also as a way to make identity management systems more robust. That’s why 90% of organizations reported they were at least partially using AI to verify identity.
Threat mitigation, however, does not end with identity verification. The explosion in the number of connected devices is increasing almost exponentially. It is not just users’ laptops, tablets, and smartphones that are getting connected, but smart devices that are coming online.
The report notes that billions of new Internet-of-Thing devices are connecting with billions more to come which will generate data running into zettabytes. Everything from soil moisture detectors, connected microscopes, plant machinery, and even door security systems will be connected online adding to potential cybersecurity threats.
A final challenge that nine in ten organizations reported is the critical shortage of cybersecurity expertise. Nearly half reported having 10 or more cybersecurity positions unfilled. Can AI fill the personnel gap? Most organizations are skeptical and are looking for human expertise anywhere it can be found.
What the Report Recommends
- Increase investments in cybersecurity across the board by adopting a platform approach and ensuring solutions are leveraged to their maximum ability.
- Assess and close vulnerability gaps created by unmanaged devices and unsecured Wi-Fi networks.
- Track developments in Generative AI and use the technology to enhance security programs and operational resilience.
- Ramp up recruitment and upskill in-house talent to fill unfilled positions. Where possible, leverage AI to augment and automate tasks while leaning on external cybersecurity expertise to help in the interim.
- Establish a company baseline of security readiness in these five major security categories: Identity Intelligence, Network Resilience, Machine Trustworthiness, Cloud Reinforcement, and AI Fortification.