Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Cloakware Survey: Acceptable Security Controls A Rarity

Most companies rely on antiquated security procedures that don't account for widespread corporate layoffs or the realities of a more virtual workforce, according to study of 12,500 U.S. infosec pros

Vienna, VA -- April 8, 2009 -- Amid tightening budgets and streamlining operations, most companies are still relying on antiquated security procedures that don't take the actuality of widespread corporate layoffs, or the realities of a more virtual workforce into account. According to a new survey of U.S. security industry professionals, 14 percent of former company employees still have access to proprietary data and organizational information, revealing critical deficiencies of corporate security policies.

Conducted of more than 12,500 U.S.-based security industry professionals by datacenter security experts at Cloakware, the study found three-quarters of those surveyed work at companies of 1,000 people or more. A simple calculation based on respondents' replies reveals that a minimum of 1,312,500 employees still have access to company systems after they have left the organization.

As part of cost-saving measures, many of these companies are now allowing more employees to work remotely, yet failing to update their security controls. In fact, 90 percent of companies that responded employ virtual workers who do business beyond the four walls of the traditional office. Almost half of the respondents (41 percent) said they have increased their use of virtual workers over the past 12 months, providing more complex security issues that need to be addressed.

Still many companies continue to use basic passwords and new-employee set-up policies that make it easy to introduce vulnerabilities. Additionally, remote access is often managed by multiple internal groups within a company, resulting in 21 percent of responding companies admitting that they hadn't even changed employees' passwords after they were terminated.

"With companies facing dwindling margins, reducing overhead costs is driving a change in employee work arrangements, but it also reveals weak protection practices " a critical issue for long-term security," said David Canellos, president and chief operating officer of Cloakware. "Simply put, insufficient security and access management practices can be detrimental to a company's business, and companies are only beginning to realize the need for more stringent standards to govern access to their critical information and protect their crucial company assets."

All the responding security professionals said they allow some level of remote access privileges for employees, yet the survey found that the vast majority of companies aren't doing anything beyond rudimentary security to protect company assets.

The survey found:

  • A disconnect between departments as to which group "owns" access for employees: For companies, the administrator charged with cutting off access to critical company information is ever-changing. According to responding companies, two-thirds of the time, IT departments are tasked with this responsibility, but many companies delegate it to human resources and direct managers, often revealing a disconnect that leaves companies vulnerable to malicious former employee attacks.

  • Varied internal password management policies: While all respondents reported that their companies have mandated password change policies, vigilance toward frequent updates is often lax. More than three-quarters of respondents reported that changing passwords is mandated, either monthly (31 percent of those who make it a practice) or quarterly (69 percent). Yet only one-fifth of companies provide an automated password update function that forces employees to actually change it.

  • Simplistic security practices around setting up new-employee access: More than 80 percent of those surveyed reported that companies have a standard format for new employee access, i.e., all e-mail address and password setup is the same. This makes it extremely easy to take advantage of a new co-worker's access to critical company resources.

    "The worldwide economic crisis, with its waves of employee downsizing in virtually every region and every industry, is raising intense enterprise concern about the impact of these events on information security," wrote Gartner, Inc. analysts Ant Allan, Jay Heiser and Roberta Witty in their report, "Best Practices in Information Security Before, During and After Employee Downsizing," published on Feb. 3, 2009. "The likelihood of these types of loss and damage increases during periods of economic difficulty and uncertainty, but their negative impacts can be reduced and mitigated if they are planned for explicitly."

    The survey was conducted in March 2009 via e-mail among more than 12,500 security industry executives and practitioners in organizations with more than 1,000 employees across a wide range of vertical industries, including government, financial services, healthcare, retail and utilities.

    For more information on best practices for managing access and privileged passwords, visit http://datacenter.cloakware.com/.

    About Cloakware Cloakware, an Irdeto company and part of the Naspers group, provides innovative, secure, proven software technology solutions that enable customers to protect business and digital assets in enterprise, consumer and government markets. Cloakware's two main product lines include; Cloakware Datacenter Solutions which help organizations meet governance, risk management and compliance (GRC) objectives for privileged password management while ensuring business continuity and the security of mission-critical data and IT infrastructure. Cloakware Consumer Product Solutions protect software and content on PCs, set-top boxes, mobile phones and media players. Protecting more than one billion deployed applications, Cloakware is the security cornerstone of many of the world's largest, most recognizable and technologically advanced companies. Headquartered in Vienna, VA and Ottawa, Canada, Cloakware has regional sales offices worldwide. www.cloakware.com

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: "I feel safe, but I can't understand a word he's saying."
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-11111
    PUBLISHED: 2020-03-31
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
    CVE-2020-11112
    PUBLISHED: 2020-03-31
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
    CVE-2020-11113
    PUBLISHED: 2020-03-31
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
    CVE-2020-10374
    PUBLISHED: 2020-03-30
    A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
    CVE-2020-11104
    PUBLISHED: 2020-03-30
    An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...