Cisco said in its 2015 Annual Security Report that users and IT teams have become unwitting parts of companies’ security problems, as online criminals rely on users to install malware or help exploit security gaps.
“Users’ careless behavior when using the Internet, combined with targeted campaigns by adversaries, places many industries at higher risk of web malware exposure,” the networking-equipment maker said in the report, adding that “malware creators are using web browser add-ons as a medium” for distribution.
Non-targeted attacks that users often encounter when browsing the Internet include adware, clickfraud, scam and “iframe injections,” it said. Targeted campaigns include “exploit, Trojan, OI (detection malware) and downloader.”
The pharmaceutical and chemical industry has edged out media and publishing to become the most vulnerable to such attacks this year, according to Cisco.
Other industries in the top five of this category include manufacturing, transportation and shipping, and aviation.
To calculate susceptibility to both kinds of attack, Cisco said it compared the median encounter rate for all organizations using its Cloud Web Security to the median encounter rate for all companies in a specific industry using the service.
Enterprises, for their part, must ask whether they “bypass users, assuming they cannot be trusted or taught, and install stricter security controls that impede how users do their job.
“Do they take the time to educate users on why security controls are in place, and clearly explain how users play a vital role in helping the organization achieve dynamic security that supports the business?” it said.
Cisco said evolution toward endpoint visibility, access and security (EVAS) controls, and away from network access controls, could “reduce the endpoint and attack surface—and harden the network after an attack.”
The newer system uses “more granular information to enforce access policies, such as data about user role, location, business process considerations and risk management,” the company said.
EVAS enables “a network-as-a-sensor approach to security enforcement, granting or halting access throughout the extended network,” Cisco said, whether from a remote device or within the network “across sensitive resource pools.”
Key to improving security is making it a topic at “the boardroom level,” it added.
Cisco offered this “security manifesto”:
