Vulnerabilities / Threats

4/25/2018
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Despite Risks, Nearly Half of IT Execs Don't Rethink Cybersecurity after an Attack

A recent survey reveals a troubling degree of security inertia lurking among scores of organizations. But there are a few bright spots.

A wise person once said, "Insanity is doing the same thing over and over again and expecting different results." However, in a recent survey done by CyberArk for its Global Advanced Threat Landscape Report 2018 (registration required), almost half (46%) of 1,300 IT executives in seven countries say they rarely change their security strategy — even after a cyberattack.

The survey findings suggest that atroubling degree of security inertia lurks within scores of organizations and effectively renders them unable to repel or contain cyber threats. Such complacency puts sensitive corporate data, IT infrastructure, and assets at risk. In fact, an overwhelming 46% of respondents say their organization can't stop the bad guys from infiltrating internal networks each time they try. More than a third (36%) say that their company's administrative credentials are stored on personal computers in Word or Excel documents. Further, half (50%) of the respondents admit that their customers' privacy or personally identifiable information could be at risk because their data is not secured beyond the legal minimums.

Flexibility Overrides Security
Whether organizations use cloud computing, build large-scale data silos, or connect thousands of IoT devices, going digital inevitably means facing a whole range of new cyber threats — with safeguarding privileged accounts being the starting point, according to the study. Most IT security pros say that protecting an IT environment starts with safeguarding privileged accounts. Nine out of 10 (89%) of experts surveyed say IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are under digital lock and key. Regarding cybersecurity threats, respondents worry most about targeted phishing attacks (56%), insider threats (51%), ransomware or malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).

IT security respondents also say the proportion of users with local administrative privileges on their devices increased from 62% in 2016 to 87% in 2018 — a 25% jump. This seems to indicate that employee demands for flexibility are overriding best data-protection practices.

The automation that is part and parcel of the cloud and DevOps mean privileged accounts, credentials, and secrets are being created at breakneck speed. If breached, these provide attackers with an ideal platform from which they can gain access to sensitive data across networks, data and applications, or cloud infrastructure they can use for illicit cryptomining activities. More organizations are acknowledging this security risk but nevertheless adopt a lax approach to cloud security.

When it comes to the cloud, 49% of organizations surveyed have no privileged account security strategy. More than two-thirds (68%) shift the responsibility for cloud security to the vendor and the built-in security features of its cloud solution. Another 38% say their cloud provider doesn't provide adequate protection.

Reforming Security Culture
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage. Consequently, banishing cybersecurity inertia will involve making it key to organizational strategy and behavior. To that end, most respondents to the survey (86%) say security should be a routine board-level discussion item, which suggests that currently there is a potentially disastrous disconnect between cybersecurity and the C-suite.

Despite the survey's bleak outlook, some organizations are evolving their security strategies to meet the current challenges. About 44% of them, worldwide, recognize or reward staffers who help ward off an IT security breach — and the number is even higher (74%) in the United States. Another 8% of companies perform red-team exercises to reveal weak spots in their IT and develop effective responses. But much more work needs to be done. Rather than viewing security simply as a cost, digital business champions will recognize it as a key aspect of every project and activity, use it to differentiate themselves from their less-secure competitors — and leave them in the dust.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/30/2018 | 3:04:33 PM
Re: The Law of Lightnling
i was in error - when in doubt - do as the CEO of Equifax did in testimony.  Blame ONE, JUST ONE, IT tech for a disaster.  The implications of the mind-boggling DUMB idea are beyond description. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:25:27 PM
competitive
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage Security can provide competitive advantage if properly implemented.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:23:07 PM
Re: The Law of Lightnling
well, blame the IT department for that That would be the strategy for upper management when they fail.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:20:02 PM
Re: The Law of Lightnling
Never strikes twice in the same place, right? Good point. That always depends om the place, if valuable and not protected, why not.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:18:00 PM
Cost
scores of organizations and effectively renders them unable to repel or contain cyber threats This may be because of the cost of the fif is greater than the cost of penalty I would say.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/25/2018 | 2:17:54 PM
The Law of Lightnling
Never strikes twice in the same place, right????   Not precisely but it does strike anyway.  For IT staffers, executives et al to BELIEVE that once hit, twice good is insane.  They are asking for more trouble and when they find it ..... well, blame the IT department for that.   Bury the innocent with blame, exonerate the guilty with promotions and bend to shareholder value.  Heaven forbid a soul-searching exam of the issue should take place?  Incredible dumb. 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.
CVE-2018-18377
PUBLISHED: 2018-10-16
goform/setReset on Orange AirBox Y858_FL_01.16_04 devices allows attackers to reset a router to factory settings, which can be used to login using the default admin:admin credentials.
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.