Studies by Verizon and IT security providers Accurics and Orca all argue that Cloud misconfigurations are the greatest threat to organizations, with Accurics finding that misconfigurations exist in 93% of the cloud deployments that it analyzed. Orca found that greater than 80% of organizations ‘have at least one public-facing workload running on an unsupported operating system or one that hasn’t been patched for at least 180 days’, which was a key factor in the 2017 Equifax breach. Orca also found that 25% of the companies it studied did not use multi-factor authentication to protect cloud accounts with root or super administrative access.
The studies found other ‘user errors’ as well, including encryption keys left in the open in 72% of deployments analyzed by Accurics, and internet facing workloads containing secrets and credentials in 44% of the organizations surveyed by Orca.
These statistics support a key finding that Cyberhedge analysis consistently reveals—good cyber security and overall cyber governance are not about having the latest or ‘best’ IT hardware or software. The most important thing is to make sure that the systems in use are installed, maintained and updated properly. Company A that has invested in the latest and greatest technology is no safer than Company B with inferior technology if Company A does not properly manage the technology. This is why Cyberhedge data indicates that the difference between good and bad cyber governance stems not from the technology a company has but the management of the technology. Ensuring that company staff are clear about good cyber hygiene, and that proper processes are in place are usually the most impactful things that companies can do to improve their cyber governance ratings.
And improving cyber security does not necessarily mean increasing expense. Incorporating MFA access protocols, making sure patches are installed promptly, and making sure that encryption keys are not left out in the open are process and oversight issues that should involve zero or minimal cost. Human error and misconfigurations are not correlated with how new or expensive the IT systems are. Companies with strong cyber governance understand this and devote resources to ‘people and process’ to reduce their risk of suffering a financially damaging breach.