Vulnerabilities / Threats

4/25/2018
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Despite Risks, Nearly Half of IT Execs Don't Rethink Cybersecurity after an Attack

A recent survey reveals a troubling degree of security inertia lurking among scores of organizations. But there are a few bright spots.

A wise person once said, "Insanity is doing the same thing over and over again and expecting different results." However, in a recent survey done by CyberArk for its Global Advanced Threat Landscape Report 2018 (registration required), almost half (46%) of 1,300 IT executives in seven countries say they rarely change their security strategy — even after a cyberattack.

The survey findings suggest that atroubling degree of security inertia lurks within scores of organizations and effectively renders them unable to repel or contain cyber threats. Such complacency puts sensitive corporate data, IT infrastructure, and assets at risk. In fact, an overwhelming 46% of respondents say their organization can't stop the bad guys from infiltrating internal networks each time they try. More than a third (36%) say that their company's administrative credentials are stored on personal computers in Word or Excel documents. Further, half (50%) of the respondents admit that their customers' privacy or personally identifiable information could be at risk because their data is not secured beyond the legal minimums.

Flexibility Overrides Security
Whether organizations use cloud computing, build large-scale data silos, or connect thousands of IoT devices, going digital inevitably means facing a whole range of new cyber threats — with safeguarding privileged accounts being the starting point, according to the study. Most IT security pros say that protecting an IT environment starts with safeguarding privileged accounts. Nine out of 10 (89%) of experts surveyed say IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are under digital lock and key. Regarding cybersecurity threats, respondents worry most about targeted phishing attacks (56%), insider threats (51%), ransomware or malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).

IT security respondents also say the proportion of users with local administrative privileges on their devices increased from 62% in 2016 to 87% in 2018 — a 25% jump. This seems to indicate that employee demands for flexibility are overriding best data-protection practices.

The automation that is part and parcel of the cloud and DevOps mean privileged accounts, credentials, and secrets are being created at breakneck speed. If breached, these provide attackers with an ideal platform from which they can gain access to sensitive data across networks, data and applications, or cloud infrastructure they can use for illicit cryptomining activities. More organizations are acknowledging this security risk but nevertheless adopt a lax approach to cloud security.

When it comes to the cloud, 49% of organizations surveyed have no privileged account security strategy. More than two-thirds (68%) shift the responsibility for cloud security to the vendor and the built-in security features of its cloud solution. Another 38% say their cloud provider doesn't provide adequate protection.

Reforming Security Culture
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage. Consequently, banishing cybersecurity inertia will involve making it key to organizational strategy and behavior. To that end, most respondents to the survey (86%) say security should be a routine board-level discussion item, which suggests that currently there is a potentially disastrous disconnect between cybersecurity and the C-suite.

Despite the survey's bleak outlook, some organizations are evolving their security strategies to meet the current challenges. About 44% of them, worldwide, recognize or reward staffers who help ward off an IT security breach — and the number is even higher (74%) in the United States. Another 8% of companies perform red-team exercises to reveal weak spots in their IT and develop effective responses. But much more work needs to be done. Rather than viewing security simply as a cost, digital business champions will recognize it as a key aspect of every project and activity, use it to differentiate themselves from their less-secure competitors — and leave them in the dust.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/30/2018 | 3:04:33 PM
Re: The Law of Lightnling
i was in error - when in doubt - do as the CEO of Equifax did in testimony.  Blame ONE, JUST ONE, IT tech for a disaster.  The implications of the mind-boggling DUMB idea are beyond description. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:25:27 PM
competitive
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage Security can provide competitive advantage if properly implemented.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:23:07 PM
Re: The Law of Lightnling
well, blame the IT department for that That would be the strategy for upper management when they fail.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:20:02 PM
Re: The Law of Lightnling
Never strikes twice in the same place, right? Good point. That always depends om the place, if valuable and not protected, why not.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:18:00 PM
Cost
scores of organizations and effectively renders them unable to repel or contain cyber threats This may be because of the cost of the fif is greater than the cost of penalty I would say.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/25/2018 | 2:17:54 PM
The Law of Lightnling
Never strikes twice in the same place, right????   Not precisely but it does strike anyway.  For IT staffers, executives et al to BELIEVE that once hit, twice good is insane.  They are asking for more trouble and when they find it ..... well, blame the IT department for that.   Bury the innocent with blame, exonerate the guilty with promotions and bend to shareholder value.  Heaven forbid a soul-searching exam of the issue should take place?  Incredible dumb. 
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11321
PUBLISHED: 2018-05-22
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
CVE-2018-11322
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
CVE-2018-11323
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
CVE-2018-11324
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated.
CVE-2018-11325
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen.