Lack of Hardened Benchmarks Leads to Poor Cyber Hygiene

The Center for Internet Security (CIS) refers to an organization's implementation of security controls as its “cyber hygiene,” but a new survey finds that nearly two-thirds of organizations are not practicing good cyber hygiene habits as they have no established benchmarks for implementing security controls.  

The new State of Cyber Hygiene Report by Tripwire surveyed 306 IT security professionals to learn if and how organizations are implementing security controls. Conducted in July 2018 in partnership with Dimensional Research, the survey found that almost two-thirds of organizations admitted that they do not use hardening benchmarks, such as CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.

“These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience," said Tripwire’s Tim Erlin, vice president of product management and strategy, in a press release. "It's surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward."

Maintaining visibility of their environments is an ongoing challenge for many organizations, which makes it difficult for them to quickly address unauthorized potential issues. While attackers can launch a successful network attack in minutes, 57% of respondents said it takes them hours, weeks, months or longer to detect new devices connecting to their organization’s network.

Despite best practice recommendations, 40% of organizations fail to have a weekly cadence of scanning for vulnerabilities, and only half run the more comprehensive authenticated scans. Organizations are also slow when it comes to patches. Deploying a patch can take anywhere from one month to more than a year for 27% of organizations.

Additionally, 44% do not have a central location for collecting logs from all critical systems, even though 98% admit they should be more efficient at checking logs. One fourth of respondents (25%) confessed that they are not efficient at all and another 73% claimed to be fairly efficient but said that they could improve.

"When cyber-attacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case," Erlin said. "Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment."

What’s Hot on Infosecurity Magazine?