So you think you're following best security practice? Think again
A new report shows that 86 percent of organizations believe they follow best practices for security hygiene and posture management, though they may not actually be doing so.
The report, created for asset management and governance company JupiterOne by Enterprise Strategy Group (ESG), finds that 73 percent of security professionals admit that they still depend on spreadsheets to manage security hygiene and posture at their organizations.
In addition 70 percent of organizations say they use more than ten security tools to manage security hygiene and posture management, which raises concerns about data management and operations overhead,
It's not a big shock then to find that, as a result, 70 percent of respondents say that security hygiene and posture management had become more difficult over the past two years as their attack surfaces have grown.
"The data demonstrates that many organizations continue to address security hygiene and posture management tactically on a technology-by-technology basis," says Jon Oltsik, ESG principal analyst and fellow, and author of the report. "ESG believes that CISOs should take a more holistic approach to security hygiene and posture management by adopting technologies and processes for discovering assets, analyzing data, prioritizing risks, automating remediation tasks, and continuously testing security defenses at scale."
The survey exposes a number of vulnerabilities, as nearly a third of respondents (31 percent) say they discovered sensitive data in previously unknown locations, and 30 percent found websites with a path to their organizations. In addition, 29 percent uncovered employee corporate credentials or misconfigured user permissions, while 28 percent exposed previously unknown SaaS applications.
Perhaps most troubling is the fact that 69 percent of organizations admit they have experienced at least one cyber-attack that started through the exploit of an unknown or unmanaged internet-facing asset, including software, cloud-based workloads, user accounts, and IoT devices.
On a positive note, 80 percent of organizations plan to increase spending for security hygiene and posture management within the next 18 months. The top budget priorities include data security tools (31 percent); cyber-risk quantification tools (30 percent); and cloud security posture management (28 percent).
You can get the full report on the JupiterOne site and there's a summary of the findings in the infographic below.