70% of security pros find security hygiene challenging

New research from JupiterOne shows that security hygiene and posture management are increasingly challenging aspects of security and IT professionals.

JupiterOne, cyber asset management and governance solutions provider, has announced the findings of a new survey by Enterprise Strategy Group (ESG), which warns of inadequate security hygiene and posture management practices at many organizations.

The ESG research found that 86 per cent of organisations believe they follow best practices for security hygiene and posture management. However, 70 per cent of organisations said they use more than 10 security tools to manage security hygiene and posture management, which raises concerns about data management and operations overhead, according to Jon Oltsik, ESG Principal Analyst and Fellow, and author of the report.

In addition, 73 per cent of security professionals admitted that they still depend on spreadsheets to manage security hygiene and posture at their organisations. As a result, 70 per cent of respondents said that security hygiene and posture management had become more difficult over the past two years as their attack surfaces have grown.

Oltsik says: "The data demonstrates that many organisations continue to address security hygiene and posture management tactically on a technology-by-technology basis.

"ESG believes that CISOs should take a more holistic approach to security hygiene and posture management by adopting technologies and processes for discovering assets, analysing data, prioritising risks, automating remediation tasks, and continuously testing security defenses at scale."

The report found that the external attack surface is increasingly vulnerable and prone to exploitation by adversaries. For this reason, CISOs should understand that attackers may be continuously scanning their organisation's attack surface with automated tools before launching cyberattacks. Therefore, organisations should strive to safeguard internet-facing assets and reduce their attack surface, thus increasing the work and resources needed by cyber adversaries.

Erkang Zheng, founder, and CEO of JupiterOne says: "The findings from this report raise troubling concerns about the state of asset vulnerability management.

"This survey points out the need to gain deeper insights into asset exploitability which can pose devastating risks to businesses."

Overall, the report suggests that security asset management programs are too often informal, disorganised, and immature. It suggests that organisations would benefit from adopting greater integration technologies, advanced analytics, and process automation, according to ESG.

The survey exposed many dangerous vulnerabilities, as nearly one-third of respondents (31%) said they discovered sensitive data in previously unknown locations, and 30 per cent found websites with a path to their organisations. In addition, 29 per cent uncovered employee corporate credentials or misconfigured user permissions, while 28 per cent exposed previously unknown SaaS applications.

Perhaps most troubling is the fact that 69 per cent of organisations admitted they had experienced at least one cyber-attack that started through the exploit of an unknown or unmanaged internet-facing asset, including software, cloud-based workloads, user accounts, and IoT devices.

As a result of these threats, the survey found that 80 per cent of organisations plan to increase spending for security hygiene and posture management within the next 18 months. The top budget priorities areas include data security tools (31%); cyber-risk quantification tools (30%); and cloud security posture management (28%).

For the report, ESG conducted an online survey of 398 IT and cybersecurity professionals from private- and public-sector organizations across North America.

For an infographic and blog on The State of Cyber Asset Management, visit here: https://try.jupiterone.com/blog/infographic-the-state-of-cyber-asset-management.


Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security