68% of Organisations do not encrypt sensitive data
SecureLink – Europe’s largest independent cybersecurity and Managed Security Service provider, today warned that organisations are failing to implement the most basic security practices to keep their networks safe and data secure. From its assessments of 100 organisations 68% were discovered not encrypting sensitive data, despite the fact that access to this capability is now widely available. Given that one of the biggest concerns organisations have is the protection of intellectual property or regulated customer data, this is incredulous.
The data also showed that, while over 55% of organisations have URL filtering systems in place at a mature level, only 22% have protection against “zero day” malware. In addition, 51% have either limited or no capability to inspect SSL/TLS encrypted web traffic entering or leaving their network so are missing opportunities to reduce the likelihood of malware entering their networks via users’ web browsers. Another surprising find was that only 11% of organisations had deployed a fully mature SIEM based infrastructure monitoring system, while more than 55% have no capability in this area whatsoever. This means that events and notifications from the myriad sources on the network are either not being correlated with other events in any way, or are being completely discarded.
Whilst security maturity is a journey, and takes time, these results suggest some security leaders are taking too long and, as a result, missing opportunities to improve the chances of preventing breaches and infections.
It wasn’t all disparaging though as 85% of those assessed were found to maintain segmented networks – a long standing rule of network design best practice. Also, when it comes to securing wireless networks, more than 88% of organisations have mature models in place. This is something that has been critical in the support of BYOD, guest and mobile working.
Speaking about these findings, SecureLink’s Group CISO – Richard Jones said, “The threat landscape is changing at an unprecedented pace, and what was once considered ‘theoretically unlikely’ risks are today’s reality. Against this we’ve also seen an increase in disruption in the last twelve months than in the previous 10 years combined. High impact risks continue to increase in frequency, forcing all of us to become better at protecting our assets and devising creative solutions that will mitigate these risks.”
The data these results are based on has been collected from anonymised and randomised Security Maturity Assessments, conducted by SecureLink, which provides a structured and quantitative approach to the measurement of security maturity. The unique dataset that results from these assessments provides real insights into the strengths, weaknesses and challenges of a growing number of cyber security teams
It is analysed across two main datasets – the first focuses on people, process and technology: the three critical elements of a cybersecurity programme. The second focuses on prevention, detection and response actions. From these datasets, the strengths and challenges presented can be considered and appropriate paths to improved security maturity can be determined. It has published its findings in a whitepaper titled ‘SecureLink 2017 Security Maturity Insight Report’, available here: https://securelink.co.uk/sma/insight-report/
Richard concludes, “Employers, holders and processors of data need to become more agile, more aware of the challenges and more cognizant of the speed at which malware authors and hackers develop. There is an abundance of “low hanging fruit” for malicious actors, whether via social engineering of poorly-trained users, slipping attachments past perimeter gateways or simply not having to even bother to decrypt stolen data. These issues must be addressed quickly. And many big steps forward are simple to take. After all, paradoxically, what is easiest for a hacker to steal is often that which is easiest to protect. A well configured and monitored technology-context environment provides a good starting point to any security strategy, and is relatively easy to put in place”.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.