Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/25/2018
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Despite Risks, Nearly Half of IT Execs Don't Rethink Cybersecurity after an Attack

A recent survey reveals a troubling degree of security inertia lurking among scores of organizations. But there are a few bright spots.

A wise person once said, "Insanity is doing the same thing over and over again and expecting different results." However, in a recent survey done by CyberArk for its Global Advanced Threat Landscape Report 2018 (registration required), almost half (46%) of 1,300 IT executives in seven countries say they rarely change their security strategy — even after a cyberattack.

The survey findings suggest that atroubling degree of security inertia lurks within scores of organizations and effectively renders them unable to repel or contain cyber threats. Such complacency puts sensitive corporate data, IT infrastructure, and assets at risk. In fact, an overwhelming 46% of respondents say their organization can't stop the bad guys from infiltrating internal networks each time they try. More than a third (36%) say that their company's administrative credentials are stored on personal computers in Word or Excel documents. Further, half (50%) of the respondents admit that their customers' privacy or personally identifiable information could be at risk because their data is not secured beyond the legal minimums.

Flexibility Overrides Security
Whether organizations use cloud computing, build large-scale data silos, or connect thousands of IoT devices, going digital inevitably means facing a whole range of new cyber threats — with safeguarding privileged accounts being the starting point, according to the study. Most IT security pros say that protecting an IT environment starts with safeguarding privileged accounts. Nine out of 10 (89%) of experts surveyed say IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are under digital lock and key. Regarding cybersecurity threats, respondents worry most about targeted phishing attacks (56%), insider threats (51%), ransomware or malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).

IT security respondents also say the proportion of users with local administrative privileges on their devices increased from 62% in 2016 to 87% in 2018 — a 25% jump. This seems to indicate that employee demands for flexibility are overriding best data-protection practices.

The automation that is part and parcel of the cloud and DevOps mean privileged accounts, credentials, and secrets are being created at breakneck speed. If breached, these provide attackers with an ideal platform from which they can gain access to sensitive data across networks, data and applications, or cloud infrastructure they can use for illicit cryptomining activities. More organizations are acknowledging this security risk but nevertheless adopt a lax approach to cloud security.

When it comes to the cloud, 49% of organizations surveyed have no privileged account security strategy. More than two-thirds (68%) shift the responsibility for cloud security to the vendor and the built-in security features of its cloud solution. Another 38% say their cloud provider doesn't provide adequate protection.

Reforming Security Culture
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage. Consequently, banishing cybersecurity inertia will involve making it key to organizational strategy and behavior. To that end, most respondents to the survey (86%) say security should be a routine board-level discussion item, which suggests that currently there is a potentially disastrous disconnect between cybersecurity and the C-suite.

Despite the survey's bleak outlook, some organizations are evolving their security strategies to meet the current challenges. About 44% of them, worldwide, recognize or reward staffers who help ward off an IT security breach — and the number is even higher (74%) in the United States. Another 8% of companies perform red-team exercises to reveal weak spots in their IT and develop effective responses. But much more work needs to be done. Rather than viewing security simply as a cost, digital business champions will recognize it as a key aspect of every project and activity, use it to differentiate themselves from their less-secure competitors — and leave them in the dust.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/30/2018 | 3:04:33 PM
Re: The Law of Lightnling
i was in error - when in doubt - do as the CEO of Equifax did in testimony.  Blame ONE, JUST ONE, IT tech for a disaster.  The implications of the mind-boggling DUMB idea are beyond description. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:25:27 PM
competitive
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage Security can provide competitive advantage if properly implemented.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:23:07 PM
Re: The Law of Lightnling
well, blame the IT department for that That would be the strategy for upper management when they fail.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:20:02 PM
Re: The Law of Lightnling
Never strikes twice in the same place, right? Good point. That always depends om the place, if valuable and not protected, why not.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:18:00 PM
Cost
scores of organizations and effectively renders them unable to repel or contain cyber threats This may be because of the cost of the fif is greater than the cost of penalty I would say.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/25/2018 | 2:17:54 PM
The Law of Lightnling
Never strikes twice in the same place, right????   Not precisely but it does strike anyway.  For IT staffers, executives et al to BELIEVE that once hit, twice good is insane.  They are asking for more trouble and when they find it ..... well, blame the IT department for that.   Bury the innocent with blame, exonerate the guilty with promotions and bend to shareholder value.  Heaven forbid a soul-searching exam of the issue should take place?  Incredible dumb. 
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7050
PUBLISHED: 2020-02-15
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies ...
CVE-2019-13965
PUBLISHED: 2020-02-14
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed...
CVE-2019-13966
PUBLISHED: 2020-02-14
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
CVE-2019-13967
PUBLISHED: 2020-02-14
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only a...
CVE-2019-15592
PUBLISHED: 2020-02-14
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.