思科+网络安全就绪指数

Cisco

CybersecurityReadiness

IndexResilience

ina

Hybrid

WorldMarch2023ContentsExecutiveSummaryBenchmarking

ReadinessProtectingIdentity368ProtectingDevices10121416182021ProtectingNetworksProtectingApplication

WorkloadsProtectingDataIndustry

and

SizeMattersConclusionAbout

theResearchCiscoCybersecurityReadinessIndexResilienceinaHybridWorld2Executive

SummaryIn

apost

COVIDworld,therequirementsofcybersecurityhavechangedas

thelandscape

forbusinesses

hasbeenspunonits

head.Organizationshavemovedfromanoperatingmodel

thatwaslargelystatic

–wherepeople

operatedfromsingledevicesfromone

location,connectingtoastatic

network

–toahybridworldinwhichweincreasinglyoperatefrommultipledevicesinmultiplelocations,connecting

tomultiple

networks.While

thereis

broadconsensusthatthemovetohybridis

heretostay,its

long-termsuccess

hingesgreatlyonorganizations’ability

tosafeguardthemselvesagainst

newand

rapidly

evolvingthreats.Set

against

this,

wewanted

to

understand

how

readyorganizations

around

the

world

are

to

meet

these

modernsecurity

challenges.

To

do

this,

we

developed

the

CiscoCybersecurity

Readiness

Index.

It

categorizes

companiesinto

four

stages

ofreadiness:

from

Beginner,

to

Formative,Progressive,

and

finally

Mature,

based

on

their

preparednessacross

five

keypillars

and

the

state

ofdeployment

of19security

solutions

within

those.

More

details

on

the

scoringmethodology

can

be

found

in

the

following

section.Amere

15%

of

organizationsgloballyaredeemedto

have

amaturelevel

of

preparednessto

handlethesecurityrisksofourhybridworld.The

Global

Cybersecurity

Readiness

GapThe

resultsarestark:

accordingtotheindex,amere15%oforganizationsgloballyaredeemedtohaveamatureCiscoCybersecurityReadinessIndexResilienceinaHybridWorld3levelofpreparednesstohandlethesecurity

risks

ofourhybridworld.Mapping

Readiness

Around

the

WorldAs

youmightexpect,therearevariationsinprivatecompanycybersecurity

readinessacrossmarkets,but

notinthewaywemightordinarilyexpect.In

ourindex,privatesectorcompaniesinless

developednationsoutperformtheirpeers

inwealthiercountriesbyaconsiderablemargin,especiallyinAsia-Pacificand

theAmericas.This

is

despite

most

companies

being

awarethatthe

threatis

real.Fouroutoffive(82%)

security

leaders

wespoketogloballybelievecybersecurity

incidentsarelikelytodisrupttheirbusinesses

overthe

next12

to24

months.And

theconsequencesofnotbeingpreparedhaveneverbeengreater.Almost

60%ofrespondentssaid

theyhadexperiencedsome

kind

ofcybersecurity

incidentinthelast

12

months.The

incidentscost

71%

oforganizationsaffectedatleast

US$100,000,with

41%

sayingtheoverallcost

wasUS$500,000or

more.In

the

Americas,

Brazil

stands

outas

thecountry

wherecompaniesaremost

readytotackle

today’ssecuritychallenges,with

26%ofcompaniesconsideredinamaturestage

ofpreparedness.Meanwhile,companiesinCanada(9%

inMaturestage),theUSA(13%

inMaturestage)andMexico(12%

inMaturestage)demonstratelowlevelsofreadiness

comparedtothe

globalaverage.We

haveanalarming

cybersecurity

readiness

gap,and

it’sonly

goingtowidenifglobalbusiness

and

security

leadersdon’tpivotquickly.In

Asia-Pacific,organizationsinIndonesia

(39%

inMaturestage),thePhilippines,and

Thailand

(27%

eachinMaturestage)topthechart

bothregionallyand

globally.On

theotherhand,companiesinrichercountrieslikeJapan

(5%inMaturestage)and

South

Korea

(7%

inMaturestage)arelanguishingatthebottom.Almost60%ofrespondents

saidthey

hadexperiencedsomekindofcybersecurityincidentinthelast12

months.Markets

most

mature

in

their

overall

cybersecurity

readinessMature

stage39%Indonesia27%The

Philippines27%Thailand26%BrazilThis

variancecouldbe

largelyexplainedbythefact

thatcompaniesinemergingmarketsstarted

theirdigitizationjourneysmorerecentlycomparedtotheirpeers

indevelopedmarkets.Thatmeansmanyofthese

companiesdo

nothavelegacysystemsholdingthemback,making

itrelativelyeasiertodeployand

integratesecurity

solutionsacrosstheirentireIT

infrastructure.While

awarenessofsecurity

risks

and

theirimpacton

business

has

neverbeenhigher,thisfindinghighlightsthat‘techdebt’

continuestobe

amajordriverofthereadinessgap.This

trendis

notseenacrossEurope,though,wherecompaniesarelaggingtheglobalaverageon

readiness.CiscoCybersecurityReadinessIndexResilienceinaHybridWorld4In

almostallcountriesless

than10%

ofcompaniesaredeemedmatureenoughtotackle

today’scybersecurityissues.

The

UK

and

Germany

aretwo

exceptions,with17%

and

11%

companiesinamaturestateofreadinessrespectively.ratherthanlater.Giventheenvironmentthatbusinessesoperateinand

thecurrentreadinessgap,a12-month

waitis

fartoolong.As

these

companiesinvestintheircybersecurityreadiness,confidenceintheirability

tostayresilientwillimprove.Of

thecompaniesthatwererankedMature,53%said

theywere‘very

confident’

intheability

tostayresilientagainst

potentialcyberattacks

inthenext12

to24

months.On

theotherhand,only

30%ofcompaniesintheBeginnerstage

and

34%

intheFormativestage

said

thesame.ReadinessbySize

and

IndustryReadiness

varies

across

company

sizes

in

an

interestingway.The

data

shows

that

globally

mid-sized

firms

ofbetween

250and

1,000employees

are

best

prepared,with

over

19%

ofsuch

firms

at

a

mature

stage

ofoverallreadiness

compared

to

17%

oflarger

businesses

(1,000+employees).This

suggests

that

while

larger

organizationsmay

have

bigger

budgets,

they

typically

require

morecomplex

deployments,

which

can

take

longer

toimplement.But

as

theydeploybudgets,companiesdo

needtothinkabout

security

differently.Because

threatsareeverywhere,stand-alonesecurity

strategiesareno

longereffective;theyfocustoomuchon

threatprevention,createsiloesthatcan

be

exploited,and

don’taccountforthefullbusiness

impact.Smallerorganizationsarethe

least

well-preparedwithjust

10%

beingmatureintheirreadiness.While

thisis

notsurprising,it

is

anareaofconcern,as

smallcompaniesfallingbelowthis‘security

poverty

line’bring

wide-reachingexternalities–they’reincreasinglypart

ofsupplychainsoflargerorganizations,making

themanattractivetargetformaliciousactors.In

today’shyper-connectedworld,it

is

critical

toensurethereareno

weaklinksthatbad

actors

can

exploit.What

organizationsneed

is

security

resilience,wheresecurity

is

foundationaltobusiness

strategyand

iscollectivelyprioritizedthroughoutthe

organization,allowingcompaniestobetter

anticipatethreatsandbouncebackfasterwhenathreatbecomes

real.Mostorganizationsarealreadythinking

about

resilienceintheirfinancial,operational,organizational,and

supplychainfunctions.Security

resiliencecuts

across

allofthem.Resilienceis

about

verifying

threats,understandingconnections

across

the

organization,and

seeingthe

fullcontextofanysituationsoteamscan

prioritizeand

ensuretheirnextaction

is

the

best

one.Of

course,readinessis

alsodependenton

thetypeofindustry

inwhichourrespondentsworkin.Thoseinsectorswith

themost

tolose

tendtohavemorecompaniesintheMaturestateofreadiness,includinghealthcare(18%)

and

financialservices

(19%).

However,itis

retail,with

21%

oforganizationsintheMaturecategory,thatcomesouton

top.This

likelyreflectsthesubstantialnumberofcyberattacks

thisindustry

has

facedovertheyears,as

bad

actors

regularlytargetthepersonal

andfinancialdata

heldbythese

organizations.Forbusiness

leaders

tobuildsecureand

resilientorganizations,theymust

establish

abaselineofhow‘ready’theyareacrossthefivemajorsecurity

pillars.Thematurity

ofsecurity

infrastructure,particularly

inrelationtolocal

and

globalpeers,

willhelporganizationsidentifywhatareastheyarestronginand

wheretheycan

bestprioritizeresourcestoimprovetheirability

tobe

resilient.Our

hope

is

thatthisCybersecurity

ReadinessIndexwillact

as

awake-upcallforseniorbusiness

leaders.Closingthecybersecurity

readinessgapmust

become

aglobalimperative.We

cannotaffordtofallfurther

behindas

theshift

tohybridcontinuestoaccelerate.The

impactonbusinesses,

customersand

society

willonly

increaseamidanexplosionofhybridthreatvectorsand

anincreasinglycomplexthreatlandscape.While

some

progress

has

beenmade,notenoughfirms

arecybersecurity-readytotakeonthechallengesthatourhybridworldhas

created.Closing

the

Cybersecurity

Readiness

Gap–Our

Global

Security

Resilience

ImperativeWhile

thecybersecurity

readiness

gapmaybe

alarminglylarge,businesses

arenotstanding

still.Security

leaders

areawareoftherisks

and

arekeentoinvestintheircybersecurity

readiness:86%oforganizationshaveplans

toincreasetheircybersecuritybudgetbymorethan10%

overthenext12

months.It

iscrucialthatthese

budgetincreasesaredeliveredsoonerCiscoCybersecurityReadinessIndexResilienceinaHybridWorld5Benchmarking

ReadinessWhile

most

ofus

arebroadlyawareoftheincreasedsecurity

risks

broughtabout

bythemovetohybridworking,whatisn’twidelyunderstood

is

howreadyorganizationsaretoface

those

risks.We

askedrespondentswhethertheircompanieshadsolutionsinplace

tomeetthechallengesofeachpillar,andhowfaralongtheyweretowardsfulldeployment.The

data

wasthenorganizedand

categorizedintoastateofreadiness,whererespondentswererankedfromBeginner,toFormative,Progressive,and

finallyMaturebasedon

theweightedscoresofeachpillarreflectingtheirimportance:

network

(25%);

identity

(20%);

devices(20%);data

(20%);

and

applicationworkloads

(15%).Cisco’sCybersecurity

ReadinessIndexis

anewwayofassessing

howreadybusinesses

are.It

is

sourced

from

a

double-blind

survey

of6,700

privatesector

cybersecurity

leaders

in

27global

markets.

Theindex

is

based

on

five

pillars:

Identity,

Devices,

Network,Application

Workloads,

and

Data.

Fromwithin

those

pillars,weexamined

19

different

solutions

required

to

address

them.Afullerexplanationofthemethodologycan

be

foundattheendofthisreport.IdentityDevicesNetworkApplicationWorkloadsDataIn

the

hybrid

workThere

are

two

aspects

tothis.

First

are

the

devicesthat

employees

use

to

logon

to

a

company

network.These

can

be

both

officialand

personal.

Second

areother

devices

within

theinfrastructure

–

rangingfrom

security

camerasto

smart

printers,

whichare

all

connected

to

thenetwork.

Companies

needcapabilities

to

verify

thesedevices

and

protect

themfrom

being

accessed

bybad

actors.In

today’swayofworking,the

network

lies

at

theheart

ofacomprehensiveapproach

tosecurity

giventhat

people,

devices,

data,and

applications

all

moveacross

it.

Safeguarding

thenetwork

from

maliciousactors,

insider

threats,

andthird-party

risks

is

criticaltothe

viability

oftheAs

companies

movesomeor

all

oftheir

operationstothe

cloud,

they

arealso

experiencing

ashiftin

the

waythey

manageand

deploy

applications.Fromcontainerization

toserverless

architectures,and

microservices,protecting

applicationworkloads

is

crucial

intoday’sdigital

landscape.Attacks

against

theseplatforms

and

servicescan

lead

tosensitiveOften

described

asenvironment,

it

is

criticalfor

companies

tobe

abletoverify

the

identity

ofeveryone

who

tries

toaccess

network

resourcesand

information.

One

canargue

that

this

is

the

firstline

ofdefence

from

asecurity

perspective.‘newcurrency,’data

hasemerged

as

one

ofthemost

valuable

assets

forbusinesses.

It

is

critical

fororganizations

toprotectdata

from

unauthorizedaccess,

use,

disclosure,disruption,

modification,or

destruction.

With

theincreasing

amount

ofsensitive

informationbeing

stored

and

sharedelectronically,

robustsecurity

capabilities

andmeasures

are

foundationaltoachieving

thiscompany.data

breaches,

lossofproductivity,

andirreparable

damage

toanorganization’s

reputation.protection.CiscoCybersecurityReadinessIndexResilienceinaHybridWorld6Based

on

theoverallscore,organizationsarecategorizedintoone

offourstages

ofreadiness:•Beginner(Lessthan10):

Organizationsatthe

initialstages

ofdeploymentofsolutions.•Formative

(11

–44):

Organizationsthathavesomelevelofdeploymentbut

performing

belowaverageoncybersecurity

readiness.•Progressive(45

–75):

Organizationswith

considerablelevelofdeploymentand

performing

aboveaverageoncybersecurity

readiness.•Mature(76

and

higher):

Organizationsthathaveachievedadvancedstages

ofdeploymentand

aremostreadytoaddress

security

risks.Looking

at

the

overall

picture,

nearly

half

ofour

respondents(47%)

and

their

organizations

fall

into

the

Formativecategory,

where

they

have

taken

some

ofthe

much-neededsteps

toprotect

themselves

but

cannot

be

classified

asready

tomeet

the

challenges

ofour

new

hybrid

world.Progressives

form

the

next

largest

cohort

at

30%.Nearlyhalfof

ourOnly

15%

fall

into

the

Mature

category,

with

a

high

level

ofreadiness.

Less

than

one

in

ten

(8%)

are

in

the

Beginnercategory,

representing

the

first

step

on

the

readiness

ladder.respondents(47%)

andtheirorganizationsfall

into

theFormative

category,

wherethey

have

taken

someof

themuch-needed

steps

to

protectthemselvesbutcannotbeclassifiedasreadyto

meetthechallenges

of

ournewhybridworld.This

report

representsthefirst

study

ofits

kind

andprovidesacomprehensivecybersecurity

readinessassessment

forcompanies

across

27

marketsglobally.Overall

cybersecurity

readiness

of

organizations

globally15%Mature30%Progressive47%Formative8%BeginnerCiscoCybersecurityReadinessIndexResilienceinaHybridWorld7Protecting

IdentityTraditionally,cybersecurity

operations

focuson

creatingastrongperimetertokeepoutthreats.The

assumptionbeingthatanyonewhowas‘insidethewire’wasauthorizedtobe

there.However,inthehybridworkingmodel,data

can

be

spreadacross

limitless

services,devices,applications,and

users,

making

traditionalperimeterapproachesinadequate.movedtoremoteand

hybridworkarrangements,manyhavestarted

toadd

asecondlayerofverification.TheseareIntegratedIdentity

and

AccessManagement(IAM)solutions,suchas

MultifactorAuthentication,whereevenwhenauserenterstherightusernameand

passwordcombination,theyarethengivenasecondprompttoprovethattheyarewhotheysaytheyare.This

callsforanewsecurity

strategywhereno-oneandnothingis

trusted

untiltheiridentity

has

been

proactivelyverified.Our

researchunderlinesthechallenge:aquarter(24%)

ofallrespondentsrankedIdentity

Managementasthenumberonerisk

forcyberattacks.Giventhatidentity

managementis

rankedbyourrespondentsas

thenumberonerisk,

it

is

no

surprise

that95%haveimplementedsome

kind

ofidentity

managementsolution,with

IAM

provingmost

popular,with

two-thirdssayingtheyhavedeployedthese

solutions.Foryears,companieshavereliedonidentity

managementsolutionslikeData

Stores,whichareastorageofthingslikeidentity

ofaperson,theirusername,and

theirpassword.Aperson

uses

these

tologin,and

iftheymatch,theyaregrantedentry.However,as

companieshaveSome

companiesareadding

yetanotherlayerofsecuritytoidentity

management–Privileged

AccessManagement.This

is

where,evenafter

thefirst

two

layersofidentityverification,access

is

grantedbasedonpre-assignedprivileges,

suchas

the

user’srolewithin

thecompany,theCiscoCybersecurityReadinessIndexResilienceinaHybridWorld8devicetheyareusingtolog

in,and

thelocation

theyarelogginginfrom.The

good

newsis

thatforalltheidentitymanagementsolutions

–TraditionalData

Stores,IAM

andPrivileged

AccessManagement–ourrespondentsarewellprogressed

with

most

havingfullydeployedwhicheversolutiontheyhavedecidedtouse.However,it

is

ofconcernthatforthosethathavenotyetrolledoutidentity

solutions,morethantwo

thirds(69%)said

theyhaveno

intentiontodo

so.Forthosethatdointendtorolloutidentity

solutions,most

willtakefromonetoas

manyas

fiveyearstocompletetheirimplementation.Giventhatidentitymanagementisranked

by

ourrespondentsasthenumberonerisk,itisnosurprisethat95%

have

implementedsomekindof

identitymanagementsolution,withIntegrated

IdentityandAccessManagementprovingmostpopular.Overall,companiesneedtostepupfurther

tomeetthechallengeofidentity

verification.Despitetheclearthreatpresentedbyidentity

management,most

ofourrespondentsareattheFormative(38%)

or

Beginner(20%)stage.Only

20%fallintotheMaturecategory,with

afurther

22%intheProgressivesegment.Surprisingly

it

ismarketsthatarebiggerand

morematurethatlagwith

theNetherlands(31%),

France(35%)

and

Japan(50%)

showingthehighestpercentageofBeginners.Readiness

to

protect

identity20%Mature22%Progressive38%Formative20%BeginnerCiscoCybersecurityReadinessIndexResilienceinaHybridWorld9Protecting

DevicesLonggone

arethedayswhenemployeesaccessed

acorporatenetwork

fromasingledesktop

PC.The

needtoaccess

data

on

themoveand

inavariety

offormshascreatedanexplosioninthenumberofdevicesemployeesuse.The

pandemichas

alsoadded

tothelist

ofdeviceswealluseregularlywith

cameras

and

microphones,forexample,helpingmakevideo

conferencingabetterexperience.Forourrespondents,protectingdevicesranksthirdoutoffiveintheirlist

ofrisk

potential,behindidentitymanagementand

thenetwork

itself.It

alsoseemstobeless

challengingformost

with

it

ranking

thirdon

theirlistfordifficulty.Threequarters

(73%)

ofourrespondentshavechosentouse

enhancedanti-virussolutions

as

theirkeysolution

toprotectdevices.Building

protectionsintotheoperatingsystem,suchas

host

controls,is

anotherwayorganizationsareprotectingtheirdevices,with

65%sayingtheyhavedeployedthistype

ofsolution.Endpointprotectionplatforms

–firewalls,malware,and

processvisibility

etc.–rank

thirdinthesolutionscompanieshavedeployed.However,employeedevicesarenottheonly

thingsaccessing

networks

and

data.Everything

fromsoilmoisturedetectorstoplantmachinery,and

evendoorsecurity

systemsareconnectedtocorporatenetworks,providingimportant

and

insightful

data.Whateverthedevice,it

needstobe

protected.We

haveseensignificantdata

breachesinthepast

originatingfromunprotecteddevices.However,therearetwo

keytrendstotakenoteof.

Firstly,thescale

ofdeploymentis

partial.

This

is

why,

despiteahighnumberofrespondentssayingtheyhavetheseCiscoCybersecurityReadinessIndexResilienceinaHybridWorld10solutionsintheirposture,morethanhalf(56%)

ofthecompaniesareeitheratthevery

start

oftheirjourney,oronly

ashort

waydownthepath.The

secondis

thatamongthosewhodo

nothavethesesolutions

intheirposture,devicemanagementdoes

notseemtorank

highinthe

list

ofcybersecurity

priorities.

Twothirdsofthese

respondentssaid

theirorganizationhas

noplans

atalltodeployasolution.This

showsthatthereis

considerable

workformanytodotoensurethatdevicesdo

notbecome

thevulnerablepointintheircybersecurity

strategy.Japanis

languishingatthebottom

ofthereadinessleaguetable

with

56%ofits

companiesfallingintotheBeginnercategory.NewZealand(45%)

and

South

Korea(48%)

donotfaremuchbetter

and

companiesinallthreecountriesshouldtakenoteofthepotentialrisks

theyrun

iftheydonotacceleratetheirdevicesecurity

strategy.The

risks

areparticularly

acuteinJapanwith

80%ofcompaniesstillnotplanningtodo

soforatleast

12

monthsand

many(60%)arestilltosecurethebudgetforthese

programs.By

contrast,Indonesia

is

along

wayinfrontofthereadinessstakeswith

threeoutoffivecompanies(59%)fallingintotheMaturecategory.Brazil(45%)

and

SouthAfrica

(44%)

areothernotable

performers.Despite

ahigh

numberofrespondentssayingthey

havethesesolutionsin

theirposture,morethanhalf(56%)

of

thecompanies

are

eitherat

theverystart

of

theirjourney,oronlyashortway

downthepath.Readiness

to

protect

devices31%Mature13%Progressive28%Formative28%BeginnerCiscoCybersecurityReadinessIndexResilienceinaHybridWorld11Protecting

NetworksGlobally,cyberattacks

areon

therise.Fromtelecomstotechnologyorganizationsand

retailers,attacks

haveleftnetworks

vulnerabletoexploitation.The

result:billionsofdata

setshavebeenexposedacrosstheworld.Fortunately,

our

respondents

recognize

the

risk;

networkprotection

ranks

second

in

the

list

oftheir

top

five

priorities.Most

haveoptedtousefirewallswith

built-inIntrusionPreventionSystems(IPS).

More

thantwo-thirds(69%)

offirms

inoursurvey

said

theyhad

deployedthiscapability,with

network

segmentationpolicies

based

on

identityranking

numbertwo

(61%

said

theyhavedeployedthis),and

Network

BehaviorAnomaly

detectiontoolsclosebehindat60%.PacketCaptureand

SensorTools,though,comeadistant

fourth

at31%.Atthelast

count,therehad

beenmorethan4,000publiclydiscloseddata

breaches

inthefirst

threequarters

of20221alone–asignificantincreaseon

thepreviousyear.

Andthelikelihoodis

thatthisis

just

thetipoftheiceberg–withthousands

moredata

breachestaking

place

inless

well-knownorganizations.Today’s

hybrid

working

environment

calls

for

flexibility

not

only

inthe

number

and

type

ofdevices

that

employees

use,

but

also

inwhere

they

log

in

from,

and

where

the

data

they

need

to

accessis

stored

and

processed.

The

growth

ofcloud

strategies

–

abedrock

ofhybrid

working

–

means

that

employees

need

tobe

able

to

roam

across

multiple

networks

throughout

their

day,rendering

the

network

more

vulnerable

to

cyberattacks.However,theissue

is

thatthescale

ofdeploymentis

notkeepingpace.Of

thosecompaniesthathavefirewallswithbuilt-inIPS,only

56%havefullydeployed,and

only

64%ofcompanieshavefullydeployednetwork

segmentationpolicies.1.

/attacks/articles/the-biggest-data-breaches-and-leaks-of-2022CiscoCybersecurityReadinessIndexResilienceinaHybridWorld12Regardlessofwherecompaniessit

intheirdeployment,and

whichtechnologytheyuse,therearesome

very

realissues

highlightedbyourindexwhichshowsthatdespitecompaniesratingnetwork

protectionas

theirnumbertwopriority,most

(56%)

areeitherintheFormativeorBeginnercategory

and

just

19%

sit

intheMaturecategory

–themost

advancedstateofreadiness.The

problemis

most

acuteinJapanwhere82%ofbusinesses

fallintotheleast

preparedcategories.HongKongand

Italy

arenottoofarbehindwith

72%

intheFormativeor

Beginnerclassification.By

contrast,some

oftheless

developednationsinourresearcharemost

readytoprotecttheirnetwork.

Perhapsthisstemsfromtherecognitionthatfailingtoprotecttheirnetworks

presentsanexistentialthreat.Whateverthetrigger,though,Indonesia

topsthereadiness

rankingswith

seveninten(69%)

fallingintothetoptwo

categories.Thailand

is

secondbest

preparedwith

six

inten(60%)readytomeetthethreat.This

shouldbe

aclearsignaltoCISOs,CTOsand

evenCEOst