Cyber professionals feel confident with their security and compliance practices, but data shows that they also put their organizations at risk, which is costing a significant amount of revenue, according to Titania. .
Additionally, some enterprises fail to effectively mitigate their attack surface. Companies are prioritizing firewall security and recording quick times to respond to misconfigurations when discovered during annual audits. However, switches and routers are included in only 4% of the tests, and these devices play an important role in reducing an organization’s attack surface and preventing movement across the network.
Respondents also pointed out that financial resources are allocated to minimizing network configuration, which currently accounts for about 3.4% of total IT budgets, and that the lack of correct automation are limiting factors in managing IT. misconfiguration risk management.
Specifically, the study surveyed 160 senior cybersecurity decision-makers across the U.S. Military, Federal Government, Oil & Gas, Telecommunications, and Financial Services sectors.
Misconfiguration costs the organization millions of dollars
Organizations report that misconfigurations cost an average of 9% of their annual revenue, but the actual costs could be higher. The good news is that a third find less than 50 devices per year, but the majority only check their devices annually. This means that misconfigurations, including those that pose a serious security risk, can persist on the network for months, even years, between checks – causing businesses are vulnerable to attacks. And while budgets are growing every year, this has little or no effect on the volume of critical misconfigurations discovered on the network.
Compliance is a top priority
75% of organizations across all sectors say their business relies on compliance to provide security. Almost every organization reports that they are meeting security and compliance requirements. However, this is in contrast to several other findings from the survey and other reports showing a decline in organizations maintaining full compliance with regulated data security standards. For example, a recent Verizon report found that only 27.9% of global organizations remained fully PCI DSS compliant in 2019; decrease for the third year in a row.
Prioritizing remediation is a challenge
75% said their cybersecurity tools mean they can ‘very effectively’ classify and prioritize compliance risks. However, 70% reported difficulties in prioritizing risk-based remediation, and also cited incorrect automation as the top challenge when it comes to meeting security and compliance requirements.
Routers and switches go largely unnoticed
96% of organizations prioritize firewall configuration and testing, but not routers or switches. This exposes these devices to significant and unidentifiable potential risks. Only 4% rated switches and routers as well as firewalls, according to Zero Trust best practices, as essential when it comes to preventing horizontal movement between networks.
“What is clear from this study is that misconfiguration risk is affecting profitability. Senior cyber professionals are prioritizing compliance and feeling confident about cybersecurity but implementing it at scale and continuously is a huge challenge,” said Phil Lewis, CEO of Titania .
“80% of network traffic is in the perimeter, and security best practices are evolving to reflect the fact that protecting the perimeter of each network segment is important, but just as important is testing secure devices in the perimeter to mitigate insider threats from software. and traffic,” Lewis continued. “If organizations want to effectively reduce their attack surface, they need to speed up the risk assessment and remediation of all network devices. This aligns with core tenant trustless security best practice, which is to verify, rather than trust, that devices are secure every day. To truly reduce their risk and adhere to increasingly stringent compliance standards, adopting a trustless mindset will help companies develop a much stronger approach to security. network. “