And all of this amid another growth year for overall vulnerabilities and threats -- by 14 percent year over year since 2012, according to Cisco's newly published 2014 Annual Security Report.
"Security talent is in short supply. The skill sets are very different, but, overall, broken down into security architect, incident response, and threat intelligence," says Levi Gundert, technical lead of the Cisco Threat Research, Analysis, and Communications (TRAC) group. "[Organizations] need to make careful business decisions about outsourcing some of these functions to trusted third parties or whether they invest in people internally."
While the talent pool scrambles to play catch-up, the bad guys are getting more sophisticated and savvy. "The sophistication of the technology and tactics used by online criminals -- and their nonstop attempts to breach networks and steal data -- have outpaced the ability of IT and security professionals to address these threats. Most organizations do not have the people or the systems to continuously monitor extended networks and detect infiltrations, and then apply protections in a timely and effective manner," according to Cisco's report.
Buffer errors were the most common threat category of 2013, with 21 percent of the Common Weakness Enumeration threat categories, according to Cisco's data. Three verticals -- electronics manufacturing, agriculture, and mining -- are getting hit by malware at a rate of six times what other verticals see.
Java accounts for 91 percent of Web exploits, while 76 percent of companies using Cisco Web Security services run the outdated and no-longer-supported version 6 of Java, the report says.
Gundert says the large volume of Web malware infecting the pharmaceutical and chemical industries was eye-opening. It may be a function of nation-state cyberespionage. "In reality, nation-states make up some percentage of these attacks," he says. "Almost when you look at verticals you have to have a copy of The Economist in the other hand because geopolitical events drive some of what you see down the line ... nation-states have priorities for" their targets, he says.
And most companies are already compromised in some way with malware: Cisco found that 100 percent of the business networks whose DNS traffic it analyzed had traffic going out to malware-hosting websites, and 92 percent of businesses sent traffic to Web pages that don't have content, a sure sign of sites hosting malicious activity. And 96 percent had traffic to hijacked servers.
Meanwhile, Android devices were the focus of 99 percent of all mobile malware last year. The most popular variant was Andr/Qdplugin-A, which often spreads via repackaged copies of legitimate apps from unauthorized sources. More than 70 percent of Android users come across Web-borne malware.
Says John N. Stewart, senior vice president, chief security officer, for Cisco Threat Response Intelligence and Development: "Although the Cisco Annual Security Report paints a grim picture of the current state of cybersecurity, there is hope for restoring trust in people, institutions and technologies -- and that starts with empowering defenders with real-world knowledge about expanding attack surfaces. To truly protect against all of these possible attacks, defenders must understand the attackers, their motivations, and their methods -- before, during, and after an attack."
The full report is available for download here from Cisco.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.