Unauthorized apps put businesses at risk
The risks from shadow and unauthorized apps have been known for years, but new research from Armis finds employees of 67 percent of UK organizations are introducing risk to the business by downloading applications and software onto assets without the knowledge or management of IT or security teams.
In addition the study, carried out by Vanson Bourne, finds 39 percent of enterprises admit to feeling challenged by increasingly complicated regulations and governance requirements.
"Companies need to rapidly adapt to new stringent regulations that are moving away from traditional check-the-box obligations. This requires teams to quickly understand their organization's corresponding capability gaps, the path to compliance, and to convince other teams required to achieve compliance to prioritize such efforts. This is by no means easy," says Curtis Simpson, CISO at Armis. "Lack of policy enforcement can contribute to gaps requiring urgent remediation while also further complicating an organization's attack surface. Preventing material compliance and security breaches requires a focus on the foundational, with the business in mind: policy adoption and enforcement, contextual asset visibility and monitoring, exposure and vulnerability prioritization and remediation."
Among other findings, around 45,000 assets are connected to UK organizations' networks on average on a given business day, but 39 percent of respondents indicate a lack of complete visibility over company owned assets connected to the business environment, and 42 percent report a lack of control and management over these assets. It's worse with personal devices. 77 percent say they lack visibility over employee owned assets connected to the business environment, and 78 percent report a lack of control and management over these assets.
The tools used to monitor threats aren't helping either. Respondents report using eight different sources to collect data relating to threat intelligence and just 52 percent to 55 percent of processes related to threat intelligence are automated, which means that a lot of the work needed to make use of the intelligence sources is a manual effort.
"Organizations need to prioritize security across the entire organization, including employee-owned devices, to mitigate risk," says David Critchley, regional director UKI at Armis. "This can't be done manually, there are just too many assets with potentially unknown vulnerabilities. That's why automation is absolutely key to help bridge the security skills gap, manage the security posture at scale and see, protect and manage the entire attack surface."
You can find out more on the Armis site.
Photo Credit: Pixelbliss/Shutterstock