A recent study conducted by Dimensional Research has revealed that most organizations don’t have a security strategy in place to protect the growing number of endpoints on their networks.
According to the study, just 33% of the survey’s respondents admitted that such a security strategy was in place, while the rest either said they were in the process of building such a strategy (51%), or that they didn’t have plans on the matter (16%). The stats are worrying, because the compromise of critical endpoints could have dire fiscal or operational consequences for an organization.
Traditionally, devices with which users could interact, such as desktops, tablets or phones, have been considered endpoints, but employee-owned devices, virtual machines, point-of-sale terminals, Internet of Things (IoT) devices and servers have been recently added to the list as well. The number of critical endpoints on enterprise networks has been growing fast despite security risks, with over 200 billion connected devices forecast by 2020.
According to the study, conducted on behalf of Tripwire, organizations also lack insight on whether the devices connected to their networks receive security updates in a timely fashion. When asked if they were confident that these devices were kept up to date, only 40% of respondents said they were.
When asked whether they were concerned about the security of IoT (Internet of Things) devices connecting to their organization’s network, only 21% of respondents said it was their top concern. 57% said they were concerned but didn’t see it as a top threat, 10% said they weren’t concerned, while 12% said they prohibit IoT devices on the corporate network.
Massive distributed denial of service (DDoS) attacks carried out against Brian Krebs’ blog and hosting provider OVH have brought to the spotlight once again weaknesses in IoT devices. Many of them are secured with easy-to-guess, hardcoded default credentials and also have vulnerable services enabled by default, which exposes them to botnets such as Mirai or other types of IoT malware.
Despite that, most organizations (57%) perform a comprehensive inventory of all hardware and software based assets on their network (including IoT devices) either once a year (31%) or without following a strict schedule (26%). Only 15% said they were performing the inventory continuously, others perform the check weekly (1%), monthly (5%), or quarterly (14%), but 7% never do it.
“Timely application of security updates is one of the most effective ways to reduce risk in any organization, but it remains a widespread challenge. As more diverse devices are deployed, the availability and management of these updates becomes more difficult. Organizations need to have a strategy now, before an incident occurs,” Tim Erlin, senior director of IT security and risk strategy for Tripwire, said.
Carried out in August to evaluate the challenges that organizations must address to optimize their cyber security and compliance programs, the survey received responses from more than 500 IT security professionals.
