Tripwire, Inc., a leading global provider of advanced threat, security and compliance solutions, has announced the results of an extensive survey conducted by Atomik Research on the state of foundational security controls. The survey respondents included 404 IT professionals and 302 executives from retail, energy, and financial services organizations in the United States and U.K.
Featured Download: Social media access at work. Do your employees know the rules?
Respondents were asked about the level of confidence they have in their application of foundational security controls, including hardware and software inventory, vulnerability management, patch management and system hardening. These controls are required by the most widely recognized global security standards and organizations, including:
· The PCI Data Security Standard (PCI DSS)
· North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
· National Institute of Standards and Technology (NIST)
· The Sarbanes-Oxley Act (SOX)
· The Health Insurance Portability and Accountability Act (HIPAA)
· Control Objectives for Information and Related Technology (COBIT)
· International Organization for Standardization (ISO)
According to a report by the United States Computer Emergency Readiness Team (US-CERT), 96 percent of successful data breaches could be avoided if simple or intermediate security controls were put in place. Tripwire’s survey found that 77 percent of all respondents felt “confident” in their implementation of these basic security controls. However, despite the ongoing increase in targeted cyberattacks, 27 percent of IT professionals remain “not confident” in the secure configuration of common devices connected to their network.
Key survey findings included:
– Over 100 million records have been comprised in retail data breaches in the last 12 months as a result of malware on point-of-sale devices, but 77 percent of retail IT professionals are “confident” that all of the devices on their network are running only authorized software.
– Despite an ICS-CERT warning regarding an ongoing, sophisticated malware campaign targeting ICS systems, 89 percent of executives from the energy industry are “very confident” or “fairly confident” in their vulnerability management program.
– Only 10 percent of security professionals are “very confident” in their patch management program.
– Only 47 percent of IT professionals are “confident” in the secure configuration of routers, firewalls and modems connected to their network.
Comments:
“It’s not surprising that IT and security professionals have confidence in foundational security controls. The Controls are instrumental in defending against common cyberattacks and lay the foundation for effective defense against more sophisticated intrusions. But to be effective, they must be implemented consistently across the entire enterprise.”
Jane Holl Lute, president and CEO of the Council on CyberSecurity
“With the list of high-profile security breaches across all sectors of industry continuing to grow, 2014 is on target to be the worst year yet for data breaches. All indications show that the amount of data stolen is set to outstrip 2013, which itself was recognized across the security industry as being a very bad year. Against this backdrop of failure, it is inconceivable that over three quarters of IT professionals are confident that their existing security facilities will keep them safe. A fair proportion of these organizations already have suffered security problems this year, and given that the average time taken to detect a security breach continues to be measured in months, there is a good chance they just haven’t as yet identified the problem.”
Andrew Kellett, Principal Analyst, Security and Infrastructure Solutions, Ovum
“I don’t think it’s surprising that so many IT and security professionals are confident in their implementation of foundational security controls, even with the rapid increase in number of reported data breaches. The context that most IT teams operate within is that of general corporate objectives around regulatory compliance, making sure they are meeting industry standards, and trying to get stuff done while competing for organizational resources.”
Chris Conacher, Manager of Engineering, Tripwire
“This survey clearly shows the disconnect between the executive branch and the IT branch and the false sense of security within a typical organzation. This, in my opinion, false level of confidence may stem from several factors, including the false belief that if no breach has been discovered, ‘we must be secure.’”
Amar Singh, Chair ISACA UK SAG, Founder of the Cyber Management Alliance and Give01Day.com
A report detailing the survey’s results can be read in full here.
About Tripwire
Tripwire discovers every asset on an organization’s network and delivers high-fidelity visibility and deep intelligence about these endpoints. When combined with business-context, this valuable information enables immediate detection of breach activity and identifies other changes that can impact security risk.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.