Cisco Systems, Inc. has delivered its annual security report, with the company finding that enterprises are less confident about their abilities to defend themselves from bad actors in the future.

The report notes that defender confidence in the enterprise is dropping, with only 45 percent of global organizations worldwide confident in their security relative to today’s threats, but conversely many executives said they expect greater transparency on security issues going forward. Cisco noted that “This points to security as a growing boardroom concern.”

In an interesting trend, the report reveals that attackers are increasingly using legitimate online resources to launch malicious campaigns, deploying age-old malware to take advantage of weak spots such as unpatched servers with aging infrastructure opening up greenfield attack surfaces, while uneven or inconsistent security practices remain a challenge.

The increased use of encryption is cited as providing a false sense of security to users and for companies as it potentially cloaks suspicious activity.

Automattic, Inc.’s WordPress content management system remains a favorite target by bad actors, with compromised installations growing 221 percent in 2015 and being used for a variety of malicious purposes including ransomware, bank fraud, and phishing attacks.

“Given this backdrop, the ability to recognize and respond to security threats in near real time is no less than a business imperative,” Cisco Vice President & Chief Security Officer John Stewart said in a blog post. “We simply cannot continue to create technical debt, leaving systems unpatched, critical services exposed, and application services open to attack. These are what we can control, and yet the data shows we aren’t succeeding.”

“This means fortifying the weakest links, such as older networking software, taking a proactive approach to patches and upgrades, and taking control of critical infrastructure,” Stewart continued. “It also means working toward a cohesive security landscape, where companies, industries, and governments communicate and collaborate to thwart cyber criminals, taking an integrated approached to threat defense that operates in near real time on our behalf. What are we waiting for?”

Defense

Stewart recommends that leaders across all types on enterprises much first acknowledge, then embrace and own security as their strategy and not simply leave it to their Chief Information Security Officer or IT department.

Vendors should also play a role in producing solutions that customers can trust and are shipped with security in mind.

A full copy of the report can be download for free from Cisco here.

Image credit: Cisco.