A number of recent studies show just how much – and in what manner — both SMBs and enterprises struggle with cybersecurity and data protection.
First, Tripwire surveyed people at Black Hat about security improvements after the WannaCry and Petya ransomware attacks. As the folks at Tripwire put it, in theory, the cost of damage in trade and reputation should have sounded alarm bells and jolted businesses into tightening their security systems to mitigate against such attacks in the future. But is that what really happened?
Probably not, as the survey revealed that 68 percent of respondents don’t feel confident that improvements have been made to better protect from cyberattacks. This could be because there is no general agreement on what the most pressing cybersecurity issues are, with 40 percent stating there is no one “root” problem to defend against, while 28 percent said the biggest issue is the number of shadow devices on a network.
Second, a Gigamon study found that nearly two-thirds of the companies surveyed don’t have visibility into all aspects of their IT infrastructure and almost half of respondents who don’t have visibility into their network do not possess information on what is being encrypted. This lack of information is hampering security. As Business Insider reported, the study found three primary reasons for these “blind spots” in the network:
The increasing speed and growth of network traffic stresses monitoring and security tools, which are not adept at handling large amounts of traffic.
- High value information is being migrated to the cloud, where visibility is limited and application data is not easily accessible.
- A large amount of network data remains hidden due to data and tools still being segmented by organizational boundaries.
Third, a KnowBe4 survey found that the vast majority of SMBs aren’t using multi-factor. They also fall behind their enterprise counterparts in password management. eSecurity Planet quoted KnowBe4 CEO Stu Sjouwerman:
Most organizations have password enforcement in place, but most aren’t taking it seriously enough by not enforcing policies beyond the normal number and letter character minimum and not requiring multi-factor authentication.
As Tim Erlin, VP at Tripwire, stated, no matter how big or small your organization is, you have to have a serious attitude toward security. He added in a formal statement:
Adopting best practices and leveraging critical security controls will continue to be the best bet for defending against advanced adversaries and can help close the gap within a business’s security infrastructure. It is important to understand that good security hygiene will greatly reduce the effectiveness of an attack and goes a long way to making the attackers’ job more difficult.
It seems to me that no matter how much organizations of any size think they know about practicing good security, there is still a lot of room for improvement.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba