Unpatched systems and misconfigurations are also major concerns for security professionals, Balbix says.
Organizations and their IT staffs have to battle a variety of cyberthreats in their quest to keep their businesses and resources safe and secure. But some threats are more pervasive and challenging than others. In a new report released on Wednesday, enterprise security provider Balbix looks at the top threats cited in a survey of security professionals. Produced by security community Cybersecurity Insiders, Balbix’s “2020 State of Enterprise Security Posture Report” was based on a poll of 372 IT and cybersecurity professionals conducted in the US in June 2020.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Among the respondents, 89% cited phishing, web, and ransomware attacks as their top concerns. Some 53% pointed to unpatched systems as their biggest security worry, while 47% mentioned misconfigurations.
Other concerns included identity and access management, password issues, malicious insiders, asset inventory, denial of service attacks, flat networks (networks not segmented or secured by routers and switches), and encryption issues.
Asked which threat areas to which they have continuous visibility, 68% of the respondents pointed to unpatched systems, while 59% pointed to identity and access management. But less than half (48%) cited phishing, web, and ransomware, the same category they labeled as their biggest concern. Further, 46% said they have continuous visibility to password issues, 44% to asset inventory, 38% to denial of service attacks, and 29% to encryption issues.
For many organizations, limited visibility into their security holes and an inability to prioritize security issues are creating greater risk. Among those surveyed, 46% said they find it hard to tell which vulnerabilities are real threats and which are ones that will never be exploited. Some 37% were concerned because their visibility extends only to a small subset of overall attack surface. And 25% said they feel inundated with far too many alerts to take the proper action.
SEE: The end of passwords: Industry experts explore the possibilities and challenges (TechRepublic)
Asset and inventory management is another challenge. Only 40% of the respondents said they’re aware of 75% or more of the devices on their network, with known business criticality and categorization for all of them. Some 43% are aware of between 50% and 75% of their network devices but with spotty coverage for business criticality and categorization. And 14% reported between 25% and 50% visibility but with no ability to accurately categorize or determine their business criticality.
Poor asset and inventory management can prove problematic if an organization is hit by a cyberattack or learns of a serious vulnerability. Only 58% of those surveyed said they can determine within 24 hours every vulnerable asset in their organization following a critical exploit. More than 40% said it would take them 24 hours or longer to identify each vulnerable system.
Granting access privileges to users is also a challenge. Too little, and employees have difficulty doing their jobs. Too much, and you open the door to security risks. In this case, though, IT teams tend to lean toward too much. Almost half (48%) admitted to giving at least some users more access privileges than required.
Finally, trying to explain the need for certain security methods and projects to the board or senior management can be an onerous task faced by high-level IT personnel. In this case, 52% of the respondents said they had a good discussion and got their point across, though the outcome was not as expected. Only 13% said that these types of presentations go over well and that the board members understand the security situation.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
“The findings of our report make it abundantly clear that security professionals remain inundated with the challenge of maintaining comprehensive visibility over their complex attack surface while also combatting the evolving threat landscape,” Balbix CTO Vinay Sridhara said in a press release. “In cybersecurity, risk trends can change overnight, and it’s clear from the survey results that infosec professionals are struggling to assess, quantify, and prioritize the most important risks to their organizations.”
To help organizations better manage their security postures, Balbix provides the following thoughts on different issues:
Inadequate visibility. Only 13% of the respondents don’t face issues with their security visibility. Infosec teams need visibility into all the devices and applications on their network, as well as the hundreds of attack vectors to which they’re susceptible. This visibility should be continuous, as periodic scans go quickly out of date. Lastly, infosec teams should have visibility into the severity of vulnerabilities to know if they are real threats or just noise.
Inventory blind spots. The majority of respondents are not accounting for 25% or more of their devices in their inventory. This creates huge blind spots in security posture and serious risks. Enterprises must have a continuous, real-time view of their inventory that includes all devices, apps, and services. This means managed and unmanaged infrastructure, on-premises and cloud, and fixed and mobile. They should also have intel on how devices are being used.
Risk from privileged users. With 80% of organizations providing more access privileges than necessary for their users, it is critical to have visibility into the threats affecting these users. Vulnerabilities on privileged user assets should be treated with urgency and given high priority since exploitation will result in an accelerated breach. Organizations should also take steps to limit access privileges where possible.
Communicating to the board. Some 52% of cybersecurity leaders are settling for “OK” board presentations when they could be nailing it. Effective board-level presentations start with quantifiable risk metrics and intuitive visualizations. They should focus on business objectives and help stakeholders understand where the company is on cyber risk, where it should be, and how it can get there.