Organizations struggle with 'cyber hygiene’ basics
Almost two-thirds of organizations are failing to use established benchmarks to set security baselines and are struggling to maintain visibility into their networks, according to a new report.
The study, carried out for security and compliance specialist Tripwire by Dimensional Research, looks at how organizations are implementing security controls that the Center for Internet Security (CIS) refers to as 'cyber hygiene.'
Almost two-thirds of the organizations admit they do not use hardening benchmarks, like CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.
"These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience," says Tim Erlin, vice president of product management and strategy at Tripwire. "It's surprising that so many respondents aren't using established frameworks to provide a baseline for measuring their security posture. It's vital to get a clear picture of where you are so that you can plan a path forward."
Among other findings are that many organizations still struggle to maintain visibility into their environments and quickly address unauthorized potential issues. Attackers may only need minutes on a network to launch a successful attack, yet 57 percent of respondents say it takes hours, weeks, months or longer to detect new devices connecting to their organization's network.
In addition forty percent of organizations are not scanning for vulnerabilities weekly or on a more frequent basis despite recommendations, and only half run more comprehensive authenticated scans. It takes 27 percent of organizations anywhere from a month to more than one year to deploy a security patch. 54 percent are not collecting logs from all critical systems into a central location, and 97 percent believe they need to get more efficient at checking logs.
Most organizations implement good basic protections around administrative privileges, but as low-hanging fruit, these controls should be in place at more organizations. 31 percent of organizations still do not require default passwords to be changed, and 41 percent still don't use multifactor authentication for accessing administrative accounts.
"When cyberattacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case," adds Erlin. "Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment."
You can read more about the findings on the Tripwire blog.