Contrary to what some might expect, some organizations rarely change their security strategies even after a cyberattack. That’s the main finding of a recent survey of 1,300 IT security decision-makers.
The survey, conducted by Vanson Bourne on behalf of CyberArk, showed enterprises generally are acutely aware of the heightened risks they face from cyberattackers, but are doing little about it.
“The hesitancy to change security strategies, even after a cyberattack, can be attributed to multiple dynamics,” said Adam Bosnian, executive vice president at CyberArk. “But two of the primary drivers are an overall lack of urgency and a feeling of uncertainty in how to stop today’s threats.”
Forty-six percent of the respondents in the survey believed their organizations cannot stop an attacker from breaking into their network. Among the top concerns are targeted phishing attacks, insider threats and ransomware. Fifty-six percent cited phishing as their biggest concern, while 51 percent said insider threats and 48 percent said ransomware posed the biggest risk. Unsecured privileged accounts and unsecured data in the cloud were other major concerns.
Nearly 50 percent said customer data could be at risk because their organizations had not secured it beyond the legally mandated basics. One-third of the survey respondents said they lacked knowledge about their organization’s security policies and a startling 85 percent are worried about personally causing a cybersecurity incident.
In addition, an overwhelming majority clearly believes information security isn’t just an IT concern anymore, but an enterprise-wide risk-management issue—9 in 10 of the IT security decision-makers who were surveyed agreed that information security should be a topic for regular discussion at the board level.
Security Inertia Putting Many Enterprises at Risk
While the responses suggest a high-level of awareness of cyber risks, many organizations appear to be hamstrung by inertia when it comes to doing something about it. About 46 percent of the respondents, or nearly half, said their organization rarely changes security strategies substantially, even after facing a cyberattack.
Sometimes, even common safeguards that many might assume are widely deployed are not. Fifty-two percent regularly update and patch their operating systems, 29 percent use an application whitelist and just one-third employ the practice of least privilege, CyberArk’s survey showed. For all the worry about credential theft and misuse, 36 percent said credentials to critical administrative accounts were stored in Word or Excel documents, or on shared servers and USB drivers and on paper.
“Fighting cybersecurity inertia starts at the top and requires strong leadership [and] accountability,” Bosnian said. Organizations need to have a clearly defined and well-communicated security strategy that considers areas of greatest risk and how to prioritize the security of those assets.
“We’re seeing cases where organizations are investing their security budgets disproportionately toward perimeter defenses without having a clear plan for how to stop attackers once they get through this first layer of defense,” Bosnian noted.
A continuing gap in understanding about who is responsible for security in the cloud is another problem. Almost all the organizations in the CyberArk survey (94 percent) are using public cloud service providers to store and server data. Half of the respondents said their organizations are storing business critical and revenue-generating data and over 40 percent are storing regulated data in the cloud.
Even though the public cloud vendors are very clear that the enterprise is responsible for securing cloud workloads, few organizations appear to understand the full security impact of dynamic cloud environments and automated processes, Bosnian said.
“We encourage organizations to be proactive in first identifying their most valuable assets and understanding where they are most vulnerable for compromise in order to better mitigate risk,” he said, noting Red Team exercises and simulations of attacker techniques and behaviors can provide a powerful way for organizations to uncover vulnerabilities and to identify effective responses.
Somewhat disturbingly, enterprise preparedness to deal with security threats could take a further hit because of the problems many organizations encountered when deploying patches for the Meltdown and Spectre vulnerabilities.
A recent survey by Barkly found 72 percent of organizations planning to slow down future patch rollouts to avoid complications like those they experienced with the Meltdown and Spectre patches. In many cases, these organizations have no alternative plans for securing vulnerable endpoints while the systems are waiting to get patched, thereby leaving them exposed to threats.
“In our research we are seeing organizations re-evaluating automatic patching,” said Jack Danahy, Barkly’s CTO and co-founder. If Intel and Microsoft can do a better job of producing a stable fix, the organizational reticence around patching may be short-lived. “If not, we will probably see a disturbing rise in the number of unpatched systems, and it will be for all patches, not just this singular hardware-driven event.”