Too many companies fail to get cyber fundamentals right
Summary
Perimeter scanning of 3,514 corporate networks in the finance, manufacturing, IT, retail, government, telecoms and advertising sectors conducted by Positive Technologies found high-risk vulnerabilities at 84% of the organizations. 47% of the detected vulnerabilities can be eliminated by making sure recommended updates have been installed in the software, and the causes of the vulnerabilities — absence of recent software updates, outdated algorithms and protocols, configuration flaws, mistakes in web application code, and accounts with weak and default passwords — are in general easy fixes.
Other key findings:
- Publicly available exploits (meaning, breaching these systems does not require any specialist professional programming skills) exist for 10% of the vulnerabilities found
- 42% of the companies were using software for which the developer had announced ‘end of life’ and is no longer supporting with security updates
Report
Analysis
While the COVID‑19 driven shift to remote work has made perimeter security less of a dominant element of overall cyber security than it was before, it is still a crucial line of defense for organizations, and failure to ensure the most basic software update steps are taken is unfortunately all too common. These results are in line with Cyberhedge findings and other research showing that a high percentage of vulnerabilities in enterprise IT systems are the result of a failure to implement and manage basic cyber hygiene practices—what we refer to as the ‘people, policy and process’.
The difference between well and poorly managed ‘people, policy and process’ is often a differentiating factor separating companies that are highly ranked at cyber governance from those that are poorly ranked. Good companies ensure that the basic things in cyber security such as continuous training and awareness building for staff and patching programs are consistently executed.
Our ratings also indicate that simplifying the corporate network by reducing the number of software programs is critical, especially at a time when strains on these networks have grown exponentially. A less complex corporate network is less costly to effectively protect. In addition, most corporate IT systems operate at less than 50% of full capability, and most organizations would benefit more from increasing their exploitation of current systems rather than introducing new systems which require costly new training and integration to implement.
Unfortunately, most organizations still see ‘new’ software as a better solution than ‘make sure we are getting the most out of what we have — and simplify where we can.’