Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/25/2018
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Despite Risks, Nearly Half of IT Execs Don't Rethink Cybersecurity after an Attack

A recent survey reveals a troubling degree of security inertia lurking among scores of organizations. But there are a few bright spots.

A wise person once said, "Insanity is doing the same thing over and over again and expecting different results." However, in a recent survey done by CyberArk for its Global Advanced Threat Landscape Report 2018 (registration required), almost half (46%) of 1,300 IT executives in seven countries say they rarely change their security strategy — even after a cyberattack.

The survey findings suggest that atroubling degree of security inertia lurks within scores of organizations and effectively renders them unable to repel or contain cyber threats. Such complacency puts sensitive corporate data, IT infrastructure, and assets at risk. In fact, an overwhelming 46% of respondents say their organization can't stop the bad guys from infiltrating internal networks each time they try. More than a third (36%) say that their company's administrative credentials are stored on personal computers in Word or Excel documents. Further, half (50%) of the respondents admit that their customers' privacy or personally identifiable information could be at risk because their data is not secured beyond the legal minimums.

Flexibility Overrides Security
Whether organizations use cloud computing, build large-scale data silos, or connect thousands of IoT devices, going digital inevitably means facing a whole range of new cyber threats — with safeguarding privileged accounts being the starting point, according to the study. Most IT security pros say that protecting an IT environment starts with safeguarding privileged accounts. Nine out of 10 (89%) of experts surveyed say IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are under digital lock and key. Regarding cybersecurity threats, respondents worry most about targeted phishing attacks (56%), insider threats (51%), ransomware or malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).

IT security respondents also say the proportion of users with local administrative privileges on their devices increased from 62% in 2016 to 87% in 2018 — a 25% jump. This seems to indicate that employee demands for flexibility are overriding best data-protection practices.

The automation that is part and parcel of the cloud and DevOps mean privileged accounts, credentials, and secrets are being created at breakneck speed. If breached, these provide attackers with an ideal platform from which they can gain access to sensitive data across networks, data and applications, or cloud infrastructure they can use for illicit cryptomining activities. More organizations are acknowledging this security risk but nevertheless adopt a lax approach to cloud security.

When it comes to the cloud, 49% of organizations surveyed have no privileged account security strategy. More than two-thirds (68%) shift the responsibility for cloud security to the vendor and the built-in security features of its cloud solution. Another 38% say their cloud provider doesn't provide adequate protection.

Reforming Security Culture
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage. Consequently, banishing cybersecurity inertia will involve making it key to organizational strategy and behavior. To that end, most respondents to the survey (86%) say security should be a routine board-level discussion item, which suggests that currently there is a potentially disastrous disconnect between cybersecurity and the C-suite.

Despite the survey's bleak outlook, some organizations are evolving their security strategies to meet the current challenges. About 44% of them, worldwide, recognize or reward staffers who help ward off an IT security breach — and the number is even higher (74%) in the United States. Another 8% of companies perform red-team exercises to reveal weak spots in their IT and develop effective responses. But much more work needs to be done. Rather than viewing security simply as a cost, digital business champions will recognize it as a key aspect of every project and activity, use it to differentiate themselves from their less-secure competitors — and leave them in the dust.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/30/2018 | 3:04:33 PM
Re: The Law of Lightnling
i was in error - when in doubt - do as the CEO of Equifax did in testimony.  Blame ONE, JUST ONE, IT tech for a disaster.  The implications of the mind-boggling DUMB idea are beyond description. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:25:27 PM
competitive
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage Security can provide competitive advantage if properly implemented.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:23:07 PM
Re: The Law of Lightnling
well, blame the IT department for that That would be the strategy for upper management when they fail.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:20:02 PM
Re: The Law of Lightnling
Never strikes twice in the same place, right? Good point. That always depends om the place, if valuable and not protected, why not.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2018 | 8:18:00 PM
Cost
scores of organizations and effectively renders them unable to repel or contain cyber threats This may be because of the cost of the fif is greater than the cost of penalty I would say.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/25/2018 | 2:17:54 PM
The Law of Lightnling
Never strikes twice in the same place, right????   Not precisely but it does strike anyway.  For IT staffers, executives et al to BELIEVE that once hit, twice good is insane.  They are asking for more trouble and when they find it ..... well, blame the IT department for that.   Bury the innocent with blame, exonerate the guilty with promotions and bend to shareholder value.  Heaven forbid a soul-searching exam of the issue should take place?  Incredible dumb. 
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Planned vacation simulation
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-15
couchcms 2 is affected by: Web Site physical path leakage. The impact is: disclosure the full path. The component is: includes/mysql2i/mysql2i.func.php and addons/phpmailer/phpmailer.php. The attack vector is: network connectivity.
CVE-2019-10100
PUBLISHED: 2019-07-15
borg-reducer c6d5240 is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Output parameter within the executable.
CVE-2019-10103
PUBLISHED: 2019-07-15
Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated use...
CVE-2019-10103
PUBLISHED: 2019-07-15
libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136...
CVE-2019-10103
PUBLISHED: 2019-07-15
Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact is: A remote attacker can execute arbitrary commands by sending a crafted request to the server. The component is: Message handler & request validator. The attack vector is: Remote unauthenticated. The fixed version is: after ...