Beware the gap between security readiness and confidence levels, Cisco warns

Security readiness among enterprises has dropped in the past year, while the confidence level of many organizations is up – a trend that doesn’t portend a good outcome.

This disparity between confidence levels and security readiness suggests that companies may be overestimating their ability to navigate the threat landscape and may not be properly assessing the challenges they face, Cisco reports in its newly released Cybersecurity Readiness Index.

The second annual report – which is based on a survey of 8,000 business and cybersecurity leaders in 30 global markets – shows only 3% of global organizations have a “mature” level of readiness needed to be resilient against modern cybersecurity risks, compared to a readiness level of 15% just a year ago, according to Wendy Nather, Cisco director of strategic engagements.

The Cybersecurity Readiness Index measures security levels as beginner, formative, progressive and mature, and it tracks stages of security implementations including identity intelligence, machine trustworthiness, network resilience, cloud reinforcement, and AI fortification. Nearly 71% of the companies in the survey fall in the beginner and formative levels of security preparedness.

“It’s unclear if that’s an organizational misunderstanding of the level of today’s threats, or they think an attack won’t be that bad. However, the flip side of this story is that 75% of the surveyed companies believe that a cybersecurity incident will disrupt their business in the next 12 to 24 months, and 91% have increased their cybersecurity budgets over the past one to two years,” Nather said. That, too, is a marked increase from 2023, when just 33% of respondents planned to increase their budgets.

To make matters more complicated for organizations, most data that moves across networks is now encrypted. This is making it even more difficult for companies to spot malicious packets of data that may have been injected to attack the network, according to Cisco.

“Today’s network environment is a very different state of affairs from when enterprises had maybe two things that they had to deal with – their on-premises network, which their own people ran, and then they had the internet connection. And that was it,” Nather said. “Now, with the sprawl of everything from services to applications, there’s less and less of the network that any given enterprise controls. That really impacts network resilience and other challenges.”

Companies need to build network resilience through technologies that create segmentation: microsegmentation, network sandboxes, firewalls, and network behavior anomaly detection tools that can detect irregularities from all network directions, Cisco stated. In addition, encrypted traffic analytics can help enterprises identify malicious packets of data in encrypted data traffic without having to decrypt it, so they can keep both the data and their network secure, Cisco stated.

Companies across the globe are recognizing this challenge, according to Cisco. Network protection ranks second among the top-four enterprise cybersecurity challenges. Identity intelligence, cloud reinforcement, and machine trustworthiness are other top concerns, according to the Index. “Identity protection as a major challenge, with 36% of respondents ranking it as their organization’s top cybersecurity challenge, up from 24% in 2023,” Cisco stated. “We should no longer be asking ‘can’ the user have access, but ‘should’ the user have access.”

Some other important network security trends outlined in Cisco’s Cybersecurity Readiness Index include:

• Deployments not keeping pace. Nearly three-quarters (74%) of companies are using firewalls with built-in intrusion prevention systems (IPS), but scale remains an issue. According to the index: “Of those companies that have firewalls with built-in IPS, only 55% have fully deployed them, while 26% had only done a partial deployment at the time of the survey, and another 9% had just started the deployment. It is a similar story for network behavior anomaly detection tools. Of those who deployed these tools, only 48% reported full deployment, while 38% are at a partial stage, and 12% have just started.”
• Microsegmentation deployments lagging, too. Deployments numbers are even lower for microsegmentation and encrypted traffic analytics (ETA). According to the index: “Among those who implemented micro-segmentation, 45% partially deployed, while for those who have ETA capabilities, 39% have deployed those partially and 11% have just started. Perhaps unsurprisingly as a result, only 7% of companies are in the Mature category, and 30% are in the Progressive stage of readiness in this pillar. This clearly shows that more work needs to be done as 63% of companies fall in the Formative or Beginner categories.”

• SASE uptake is slow. “As business models move from static to dynamic, organizations must look at increasingly novel approaches such as Secure Access Service Edge (SASE) to be adequately prepared to tackle the risks these shifts present,” the index stated. “While SASE is a critical solution that allows organizations to provide secure and reliable access to cloud-based applications, only 22% of organizations have deployed it. Among the companies that are still deploying SASE, only 38% said they are planning to roll out within the next 12 months.”
• Tool overload remains a risk. The traditional approach of adopting multiple cybersecurity point solutions has not delivered effective results, as 80% of respondents admitted that having multiple point solutions slowed down their team’s ability to detect, respond and recover from incidents. This raises significant concerns, as 67% of organizations said they have deployed 10 or more point solutions in their security stacks, while 25% said they have 30 or more.
• Unsecure and unmanaged devices add complexity. According to the index: “85% of organizations say their employees access company platforms from unmanaged devices, and 43% of those employees report spending 20% of their time logged onto company networks from such devices.” Additionally, 29% reported that their employees hop between at least six networks over a week.
• Cyberattacks on the rise. “When it comes to cyberattacks, there were more than 2,800 publicly disclosed data breaches in 2023 alone – involving over 8.2 billion records stolen. And the likelihood is that this is just the tip of the iceberg – with thousands more data breaches taking place in less well-known organizations.”