In the 2018 Scalar Security Survey, we asked IT security and risk compliance professionals about everything from the financial cost of a security breach to how often their employees update their mobile systems. One of our key findings was that even within organizations where cyber security is a priority, there are some common weaknesses that need attention in order to protect an organization from ongoing threats. Not surprisingly, most of these areas involve compliance outside of a company’s internal IT department.
Underestimating exposure and vulnerabilities in external relationships
Most organizations are failing to recognize that their security planning must also account for external relationships, like connections to suppliers, partners and third parties. There have been large data breaches in the past where hackers gained access through credentials stolen from third parties. Even the most secure organization can be vulnerable because their partners don’t have strong cyber security in place.
Businesses can strengthen their security planning by using the NIST framework to analyze their organization and include these external relationships, making sure that their security protocol protects the data flowing between the two. 74% of those we interviewed don’t consider external relationships in a comprehensive manner and 16% of medium to large businesses don’t consider third-parties at all. That means that there’s a lot of room for improvement!
Deficient security training for employees
Employees have long been thought of as a point of security weakness, but we try to think of them as a arguably the most important part of the security perimeter. Developing a culture of information security accountability is critical to a successful security program. A lot of the time, weaknesses occur because employees aren’t properly trained or managed when it comes to cyber security protocol, but are primary targets for attacks. When protection is out of balance with threat, we see a concerning area of weakness.
For example, a majority of organizations don’t provide formal training for how to frequently update PC and smartphone OS and apps or for how to identify attacks, like phishing. Organizations tend to do a bit better with formal training for how to use security technology or how to properly care for sensitive data, but with employees as a primary target, formal training and reminders both need to become a priority.
Slow security updates and patches
Comprehensive security assessments are incredibly valuable, but only if they are followed by a quick and organized response. Many of the organizations we spoke to had difficulty prioritizing security updates or implementing them at all. We broke these down into six areas, according to the NIST framework:
- On-premise databases, apps, servers
- Web applications
- Network equipment
- Public cloud (IaaS/PaaS)
The two areas where timelines were the biggest issue were with web applications and with the public cloud. Both of these had the majority of organizations waiting a year or longer to install security updates or patches, including critical ones. 87% of respondents update smartphones within a week, which is positive, but perhaps indicates that in areas where individuals are already accustomed to updating software, timelines aren’t as much of a problem.
With slow update and patch implementation, organizations increase their security vulnerabilities quite dramatically. Unfortunately, analyzing which updates are actually critical can become a part of the problem, which is why external security firms conducting security assessments need to be clear about prioritization so that the organization can implement updates that are truly critical.
Dated response planning
Along with regular updates to PCs and network equipment, security breach response plans need to be regularly updated and properly documented. In our security survey, 68% of organizations answered that they don’t have a fully documented and regularly updated security incident response plan in place. Smaller organizations seem to struggle the most in this area, with only 12% answering that they have a fully documented and regularly updated plan in place, while 34% said that their plan is informal.
On a positive note, only 2% of organizations don’t have a security incident response plan at all, which means that businesses know that they need one, but just might not be updating it regularly. One of the biggest reasons for keeping these plans updated and documented is that security tactics change to adapt to new forms of attack and new technologies. As attacks change, IT plans need to add new technology to their traditional tactics to strengthen their cyber security.