A survey conducted by Lieberman Software has revealed that about three-quarters (73%) of IT security professionals would not be willing to bet $100 in the aforementioned scenario. And no wonder: apparently, corporate employees are simply ignoring security best practices.
The study also showed that 81.4% of IT security staff believe that employees tend to ignore the rules that IT departments put in place. Also, about half (52.2%) said they believe that employees wouldn’t listen even if IT directives came from executive management.
“These figures highlight the fact that many IT security professionals recognize that their organizations are woefully unprotected against cyber-attacks,” said Philip Lieberman, president and CEO of Lieberman Software. “While vendors of conventional security products – like firewalls and anti-virus – are constantly updating their tools to reactively protect against the latest threats, hackers are looking for flaws and engineering new attacks to exploit them. The reality is that 100% protection is nearly impossible to achieve, but there are still best practices for securing access to critical systems and data that many organizations tend to ignore.”
For example, the survey showed that IT groups are still not changing default passwords when deploying new systems. In fact, one-third (32.3%) of IT security professionals work in organizations that do not have a policy to change default passwords when deploying new hardware, applications and network appliances to the network.
“This simply must be a standard practice in any size organization,” said Lieberman. “Default privileged passwords are, in the truest sense, open backdoors into systems that are deployed on production networks. Most default passwords are publicly known and easily found online, meaning that anyone with malicious intent can use these default credentials as a foothold to gain anonymous access to systems and applications throughout the network.”
He added, “IT departments that do not have a solution in place to automatically detect, flag and change default privileged passwords on newly deployed systems are neglecting a very dangerous security hole.”
Then there’s the state of user privileges and administrative rights to consider. The survey found that most (75.8%) of IT personnel think that employees in their organization have access to information that they don't necessarily need to perform their jobs. Most workers (64.7%) also think that they have more access to sensitive information than colleagues in other departments. And 38.3% of IT security personnel have witnessed a colleague access company information that he or she should not have access to, but 54.7% of those respondents didn’t report them.
“These results suggest that even though most IT professionals are aware of the level of access they have to systems which may contain sensitive data, many organizations either cannot or will not control and audit this access,” Lieberman said.
He added, “The high number of staff who are thought to ignore IT directives could stem from willful negligence on the part of end-users, or the lack of proper internal security training. When these findings are taken together, respondents' lack of confidence in the ability of their organizations to withstand a data breach is hardly surprising."