SMB IT Pros Give Themselves an "F" on Prevention, Detection

Forty percent of IT pros at small and medium-sized businesses give their organization a failing grade for having a balanced security stack.

In a survey, Barkly asked IT managers and system admins at SMBs to grade their organizations on the three core aspects of security: prevention, detection and recovery. While responses varied, the majority reflected a need for improvement across the board.

“Managing security in today's rapidly evolving threat environment is a complex task,” said Jonathan Crowe, a researcher at Barkly. “Not only do organizations need to be able to prevent an increasingly volatile variety of attacks, they also need to ensure they have the tools and systems in place to quickly detect and recover from incidents when they do occur. Finding the right balance between these three areas of focus can be difficult, especially when your time and budget is limited.”

In terms of prevention, the obvious goal is to keep malicious software off of systems and avoid unauthorized access—typically using antivirus, firewalls, email filtering, whitelisting, patch management, security awareness training and so on. Out of the three major areas of focus, the majority of respondents placed the highest priority on prevention: If given additional budget, 51% said they would invest in prevention first. However, one third of respondents gave their organizations an F in the category.

“One big contributing factor for that dour outlook might be an over-reliance on outdated technology,” Crowe said. “The majority of the most common prevention solutions—antivirus, firewalls, etc.—attempt to identify and block malware by scanning static files. That's unfortunately a technique that many of today's modern attacks actively bypass, either by making slight alterations to malware code, or by exploiting legitimate tools and software (ex: Microsoft PowerShell) to infect systems without having to deliver a malicious file on disk.”

As a result, organizations are getting infected even if they have traditional prevention software in place.

On the detection front, the goal is to become aware of security incidents and suspicious activity as quickly as possible. This came in as the No. 2 most important thing on the to-do list for SMB IT pros, using tools like intrusion detection system (IDS) and network monitoring tools. Slightly more than a quarter of respondents said they would prioritize additional detection tools and resources over additional prevention solutions. Unfortunately, a whopping 43% of survey respondents gave their organizations failing grades for detection.

“Despite the need for more help in this area, respondents still listed prevention as a higher priority for future budget allocation,” Crowe said. “That may be partly attributable to the high barrier to entry for most detection and response solutions, which are typically more complex and often require a prohibitive investment of time, money, staff and resources to manage.”

IT pros also point to the record rise in ransomware as a reason for shifting their focus to prevention from detection. Since ransomware attacks can encrypt files in a matter of minutes or even seconds, detecting and responding to the attack after the fact means it's too late. The damage is already done.

Which brings us to recovery, the third-ranked priority for respondents. The goal here is to make cleaning up and getting back to normal after an attack as quick and painless as possible, using backup, forensics and so on. Interestingly, 83% give their organizations passing grades, and nearly 50% gave themselves an "A"—twice the number of "A"s handed out for prevention and detection.

Prevention, detection, and recovery are all important bases to cover—and until they improve on the prevention and detection fronts, many IT pros believe their security stacks still need work.

"Security products are the treadmills of IT,” said Barkly co-founder and CTO Jack Danahy. “Before you rush into buying another one, ask yourself, how can I revisit our existing tools, identify where our gaps are, and determine how to mitigate the most serious threats to our most vulnerable and valuable resources?”

What’s Hot on Infosecurity Magazine?