Only just over half of businesses are confident in their ability to verify and defend against a cyber attack, according to Cisco’s latest annual security report.
The lack of confidence is driven largely by the increasing agility, resilience and persistence of attackers, with businesses struggling to keep pace.
While executives may be uncertain about their security strength, 92% agree that regulators and investors will expect companies to manage cyber security risk exposure.
As a result, cyber security is expected to become a growing boardroom concern and business leaders are stepping up measures to secure their organisations, particularly as they digitise their operations.
The report highlights the challenges businesses face due to the rapid advancements of attackers, who increasingly tap into legitimate resources to launch effective cyber attack campaigns for profit.
According to the report, direct attacks using ransomware alone garnered $34m a year per campaign as cyber criminals continue to operate unconstrained by regulatory barriers.
Businesses are up against security challenges that inhibit their ability to detect, mitigate and recover from common and professional cyber attacks, the report said.
Researchers found that ageing infrastructure and outdated organisational structure and practices are among the key factors that are putting organisations at risk of cyber attack.
Between 2014 and 2015, the number of organisations that said their security infrastructure was up to date dropped by 10%.
The study also found that 92% of internet devices are running known vulnerabilities, while 31% of devices analysed were no longer supported or maintained by the supplier.
Researchers identified small to medium enterprises (SMEs) that are suppliers as a growing cyber security risk to their customers.
As more enterprises examine their supply chain and small business partnerships, the report notes that they are finding that SMEs use fewer threat defence tools and processes.
For example, from 2014 to 2015, the number of SMEs that used web security dropped by more than 10%, indicating a potential risk to enterprises due to structural weaknesses.
A similar risk is created by the trend towards outsourcing security services to address skill shortages and reduce costs.
While often viewed by security teams as a low-level threat, malicious browser extensions were found to have been a potential source of major data leaks, affecting more than 85% of the organisations surveyed.
Adware, malvertising, and even common websites or obituary columns have led to breaches for those who do not regularly update their software, the report said.
The study sounds a global call-to-arms for greater collaboration and investment in the processes, technologies and people to protect against industrialised adversaries.
“Security is resiliency by design, privacy in mind, and trust transparently seen,” said John Stewart, senior vice-president, chief security and trust officer at Cisco.
“With IoT [internet of things] and digitisation taking hold in every business, technology capability must be built, bought and operated with each of these elements in mind. We cannot create more technical debt. Instead, we must meet the challenge head-on today.”