Site icon IT World Canada

Many organizations still ignore basic security, survey suggests

Ten tips for more secure sofware

Image from Shutterstock.com

Experts are going hoarse telling organizations they have to build their cyber security strategies around doing the basics, including having an accurate inventory of everything on the network.

But if a survey sponsored by Tripwire is accurate not many are following even the top six of the 20 recommended Critical Security Controls set by the Center for Internet Security (CIS).

Among the survey’s findings:

Approximately how many of the devices connected to your organization’s
network do you have tracked in an asset inventory? (Tripwire graphic)

“These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience,” Tim Erlin, Tripwire’s vice-president of product management and strategy, said in a statement. “It’s surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward.”

The survey was completed by 306 participants in Canada and the U.S. last month, all of whom are responsible for IT security at companies with more than 100 employees.

Many organizations still struggle to maintain the adequate visibility into their environments needed to address potential issues quickly, an analysis of the survey results found. “Results showed that organizations need to improve visibility into the devices and software on their networks, logs from critical systems, and configuration changes.”

Almost all participants said their organization uses vulnerability scanning, but only half run comprehensive, authenticated scans. Only 59 percent are scanning weekly or more, as recommended by CIS.

Other interesting findings:

–More than half (54 percent) of respondents said their organization doesn’t pour logs from critical systems into a central location;

— 44 per cent said they only review logs weekly, monthly, quarterly or less. Nine per cent never review logs at all. The report’s authors say logs should be looked at daily.

The top six CIS Security Controls are inventory and control hardware assets; inventory and control software assets; perform vulnerability management; secure hardware and software configuration; control administrative privileges; and monitor and analyze logs.

A combination of security solutions is required to provide suitable threat prevention, detection and mitigation, says the report. But implementing cyber hygiene –defined as following the first six of the CIS security controls — provides organizations with the foundational breadth necessary to manage risk.

The report, called The State of Cyber Hygiene, can be downloaded here. Registration is required.

Exit mobile version