The Internet of Things continues to offer new opportunities for cybercriminals, and its security weaknesses, ripe for exploitation, will play a central role in enabling these campaigns with escalating impact. Recent IoT botnet activity already suggests that some attackers may be laying the foundation for a wide-reaching, high-impact cyber-threat event that could potentially disrupt the Internet itself.
As part of its Security Capabilities Benchmark Study, Cisco surveyed close to 3,000 security leaders across 13 countries and found that across industries, security teams are increasingly overwhelmed by the volume of attacks.
Unique Industries Face Common Challenges
As criminals continue to increase the sophistication and intensity of attacks, businesses across industries are challenged to keep up with even foundational cybersecurity requirements. As Information Technology and Operational Technology converge in the Internet of Things, organisations struggle with visibility and complexity. This leads many to become more reactive in their protection efforts.
- No more than two-thirds of organisations are investigating security alerts. In certain industries(such as healthcare and transportation), this number is closer to 50 percent.
- Even in the most responsive industries (such as finance and healthcare), businesses are mitigating less than 50 percent of attacks they know are legitimate.
- Breaches are a wake-up call. Across most industries, breaches drove at least modest security improvements in at least 90 percent of organisations. Some industries (such as transportation)are less responsive, falling just above 80 percent.
Important findings per industry include:
- Public Sector–Of threats investigated, 32 percent are identified as legitimate threats, but only 47 percent of those legitimate threats are eventually remediated.
- Retail–Thirty-two percent said they’d lost revenue due to attacks in the past year with about one-fourth losing customers or business opportunities.
- Manufacturing–Forty percent of the manufacturing security professionals said they do not have a formal security strategy, nor do they follow standardised information security policy practices such as ISO 27001 or NIST 800-53.
- Utilities–Security professionals said targeted attacks (42 percent) and advanced persistent threats, or APTs (40 percent), were the most critical security risks to their organisations.
- Healthcare–Thirty-seven percent of the healthcare organisations said that targeted attacks are high-security risks to their organisations.