More than 90% of companies are still using outdated technologies as their primary source of security for network access control—and 45% of them have not increased their security budgets to modernize, despite recent high-profile breaches.
That’s the word from a new survey from Cryptzone and TechValidate, which uncovered that outdated approaches to security are rife. Most importantly, there is a decided lack of advanced solutions to limit the carte blanche access granted to employees and third parties under older network security models.
A vast majority (91%) of respondents said that VPNs are still the main form of security for controlling network access, despite the fact that VPN technology was created almost 20 years ago.
A slight majority (51%) noted that their access control technology was greater than three years old, and 11% said it was more than 10 years old.
Host IPS, next-gen firewalls, identity management solutions and vulnerability assessment are only being used by between 24-30% of the organizations for the purpose of access control. Exactly half said that their network access/firewall rules were static, and only 21% of companies rely on attribute-based controls to secure access. Most rely on authentication (93%) and session authorization (46%).
Overall, more than half of companies (52%) have not reviewed their access policies in over a year, and 42% of companies can’t or don’t automatically enforce security policies.
“It’s remarkable that many organizations are still utilizing network security technologies developed in the nineties – a time when the Internet was still in its infancy,” said Kurt Mueffelmann, president and CEO for Cryptzone, in a statement. “The cyber-attacks we have seen over the last few years, have demonstrated that it’s far too easy for hackers to steal user credentials, and then use those credentials to traverse the enterprise network in search of the most valuable data. Organizations need to accept that outdated access control technologies are not working against today’s sophisticated adversaries.
There’s also a big gap between concerns and reality when it comes to threats. The survey revealed that malicious external user actions (hacking) were perceived as the greatest security risk to an organization (66%), followed closely by user mistakes/accidents (56%). But, upon reviewing the threats that had caused the most actual harm or damage to organizations in the last 12 months, 61% noted user mistakes/accidents, and only 46% noted malicious external user actions. So in other words, insider threats caused the most actual harm or damage to information security, not outside threats.
“The default position should be to make your infrastructure invisible, and then grant access on a case-by-case basis, only after user identity, posture and context have been validated,” Mueffelmann said. “Organizations must stop giving out the keys to the kingdom when it comes to privileged user, third party and employee access.”