Midsize organizations are among the earliest adopters of new technologies. In general, they conduct much of their business over the Internet and are quick to embrace new apps, online payment systems, cloud, and Bring Your Own Device (BYOD) technologies. Fast adoption of innovations helps them to compete against larger organizations by meeting customer demands more cost effectively. But these business enablers are also creating security vulnerabilities that adversaries are exploiting for financial gain.
Adversaries aren't just targeting prized assets like customer and employee data, invoices, and intellectual property. Cybercriminals also recognize that smaller companies are a vector into the networks of larger corporations. A 2013 study conducted by PricewaterhouseCoopers on behalf of the UK Government Department for Business, Innovation and Skills found that 87 percent of small businesses had been compromised, up 10 percent from the previous year. Many small and midsize companies are now mandated by partners to improve their threat defense. Regardless of size, organizations have legal and fiduciary responsibilities to protect valuable data, intellectual property, and trade secrets.
The surge in attacks and mandates has elevated information security to a boardroom discussion for organizations of all sizes. Based on feedback from security professionals in nine countries, theCisco Security Capabilities Benchmark Studyincluded in the newCisco 2015 Annual Security Reportexposes telling gaps between perception and reality, but also finds that midsize companies' perceptions measure up well against their larger counterparts.
Ninety percent of companies are confident about their security policies, processes, and procedures, but more than half of security practitioners don't leverage critical tools available to thwart attacks like patching or configuration and 54 percent have had to manage public scrutiny following a security breach. In addition, 59 percent of Chief Information Security Officers (CISOs) view their security processes as optimized, compared to 46 percent of Security Operations Management managers (SecOps), revealing a clear disconnect the further removed leadership is from day-to-day security activities.
The study also finds that there are few perceived differences between midsized organizations (500-999 employees) and enterprises (1000+ employees) in terms of their readiness to respond to security incidents.
Attackers continually refine techniques to evade detection and hide malicious activity. New threat intelligence and trend analysis in theCisco 2015 Annual Security Reportshow that attackers are realizing that bigger and bolder is not always better. As the security industry has become more adept at closing vulnerabilities and dismantling widely used methods of attacks, cybercriminals are shifting their focus to take advantage of careless user behavior and more sophisticated spam (up 250 percent), phishing, and malvertising campaigns to launch persistent, targeted attacks.
Midsize companies are indeed proven pacesetters; Cisco's recent research supports that. Now the challenge comes to extend that innovation to the realm of practical security technologies and proven best practices in end-user education and security processes. Only by aligning people, processes, and technology can midsize companies, and organizations of all sizes for that matter, close security gaps and mitigate the latest threats.
To learn more about what recent threat intelligence and trend analysis reveals, as well as what your peers are doing, download the Cisco 2015 Annual Security Report now.