While the huge number of cybersecurity incidents are helping to raise awareness of security best practice, many organizations are persisting with bad habits that leave them exposed to hackers and data breaches.
According to CyberArk’s Global Advanced Threat Landscape Survey 2016, 79% of organizations feel they have learned lessons from cyber-attacks and improved security, however the most popular action taken by respondents is the deployment of malware protection (25%), followed by endpoint security (24%). Security analytics was deployed by just 16% of respondents.
The report also found that some worrying practices are still commonplace at organizations. Despite many respondents claiming their business had improved its approach to security, 40% admitted to storing privileged and admin passwords in a Word document or spreadsheet.
Third-party access to systems is also an area of concern. Nearly half (49%) of organizations allow third-parties, such as supply chain firms, remote access to their systems. However, public sector firms in particular are doing a poor job of securing that access; 21% admitted to not securing that connection at all, and 33% said they do not monitor third-party activity on their network.
The research also revealed some rather contradictory findings. Three-quarters of respondents felt confident they could prevent attackers from breaking into their internal network, a figure that was just 44% a year ago. However, 36% said they felt sure a cyber-attacker had accessed their network within the last 12 months.
Nearly all respondents said their organization has a cybersecurity emergency response plan in place, but only 45% regularly communicate and test their plan with all IT staff.
There are also concerns over IT’s readiness to notify the rest of the business about a breach. Just 26% said notifying the CEO is among their top priorities, ahead of the rest of the staff (25%) and customers (18%). Stopping the breach and detecting its source were the top priorities following the discovery of an attack.
Despite this, 82% of respondents feel the security industry is in general making progress against cyber-attacks.
“The findings of this year’s Global Advanced Threat Landscape Survey demonstrate that cybersecurity awareness doesn’t always equate to being secure. Organizations undermine their own efforts by failing to enforce well-known security best practices around potential vulnerabilities associated with privileged accounts, third-party vendor access and data stored in the cloud,” said John Worrall, CMO, CyberArk.
“There’s a fine line between preparedness and overconfidence. The majority of cyber-attacks are a result of poor security hygiene – organizations can’t lose sight of the broader security picture while trying to secure against the threat du jour,” Worrall added.