Despite an increasingly sophisticated threat landscape, the majority of organizations (89%) use only basic IT security solutions.
That’s according to Netwrix’s global 2017 IT Risks Report, which found that 74% of organizations acknowledge they are not well prepared to beat IT risks.
The majority of organizations (89%) limit the range of IT security solutions in use, and only 13% of respondents use more advanced solutions for information security governance or risk management. Only 58% of respondents consider their current IT controls (or lack of them) adequate to their organization’s specific needs.
The main obstacles for rectifying this are lack of budget (57%) and lack of time (54%)—in fact, 65% of organizations do not have dedicated personnel responsible for cybersecurity. The same is true for compliance—56% of organizations subject to compliance delegate this task to the IT operations teams.
This state of affairs exists even though 65% of respondents admitted to having security incidents in 2016; the most common reasons cited were malware and human errors. Also, 66% of organizations perceive employees as the biggest threat to system availability and security, but only 36% of organizations say they are fully aware of employees’ actions.
"Organizations understand very well the need to focus significant effort on protecting the smooth operation of their businesses," said Michael Fimin, CEO and co-founder of Netwrix. “While they see their own users as the main threat, they haven’t yet gained visibility into user activity in business-critical systems and manipulations of sensitive data. Organizations that already have visibility into user activity and IT changes report that it greatly benefits their security initiatives and enables them to avoid issues such as data breaches, system unavailability and audit failures."
Like last year, organizations have the most visibility into activity and IT changes in endpoint protection (61%), virtual infrastructure (59%) and on-prem systems (52%). Shadow IT and BYOD are still the main pain points for about one-third of the IT pros surveyed.
Visibility into user activity across the IT infrastructure primarily benefits security initiatives, helping organizations to detect (79%) and investigate (73%) incidents, secure assets (55%), and mitigate security, compliance and system outage risks (53%).
The good news is that the number of organizations that have at least some controls over user activity, data access and IT changes in place grew from 62% in 2016 to 85% in 2017. Overall, more than half of organizations already have mature controls in place vs. one third last year. While every fifth organization last year admitted they didn’t have and didn’t plan to implement any IT controls, this year, only 8% of respondents fall into this category.
Meanwhile, IT auditing has become a more widespread practice, used by 84% of organizations in 2017 versus 63% in 2016. Manual IT auditing methods are still very common, but implementation of third-party software is growing steadily.
The survey also showed that organizations are planning to focus their future investments on securing sensitive data, since they cannot foresee every possible threat.
"I see data leakage as the current biggest risk to IT. We are getting better at high redundancy, availability, diagnostics and automation of all these components, but protecting data is still not improving," said Adam Fowler, IT expert and owner of adamfowlerit.com blog.
Even though 47% of organizations still experience operational issues due to lack of visibility, the number of respondents who are satisfied with the time required to fix them grew from 49% in 2016 to 81% in 2017.