The release of the Tripwire ‘State of Cyber Hygiene report’ examines just how companies are handling cyber security basics. The report explores how organizations are implementing cybersecurity practices related to network visibility, vulnerability management, configuration management, administrative privileges and logging. Conducted in partnership with Dimensional Research, the wide-ranging cybersecurity survey indicates that many organizations are simply not doing enough when it comes to handling risk in a changing security and threat environment. In fact, it reveals that there is a distinct lack of focus on getting the basics of security right.
What is cyber hygiene?
Just like how we take care of our personal hygiene by following basic practices to maintain good health, cyber hygiene refers to the proper maintenance and basic protection organizations need to put in place for cyber defense.
The Tripwire report takes a close look at how organizations across the board are implementing the ‘Cyber Hygiene’ recommendations of the Center for Internet Security (CIS). Based on responses from 306 IT security professionals, the report finds that organizations are simply not doing what is necessary to manage risk. In fact, the numbers are extremely worrying – two thirds of organizations are not following guidelines based on CIS or Defense information Systems Agency (DISA). The guidelines issued by these organizations provide frameworks for the establishment of a secure baseline – the bare minimum to protect sensitive data and keep your network secure.
VP of Product Management and Strategy at Tripwire, Tim Erlin explained why establishing a secure baseline in a fast-changing threat environment is vital for an organization’s security health:
“These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience. It’s surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward.”
The importance of cyber security basics
Although companies are aware of recommendations from organizations like CIS and DISA, the Tripwire report showed that organizations are not getting the basics right. For instance, around 40% of companies are not scanning for vulnerabilities weekly or, as should be the fact even more regularly. Companies are also facing other challenges, amongst them the lead time for the deployment of patches related to security with around 27% of companies taking upwards of a month (in some cases a year) to deploy the latest security patches.
Tracking data breaches
The report also emphasized that many companies are not vigilant enough – or proactive enough when it comes to collecting logs – 54% of businesses are not collecting them from all critical systems into a central location. However, the vast majority (97%) of organizations are aware of the problem and recognize that they need to be much better in order to manage risk in a changing security environment.
The Tripwire report also revealed other issues that affect the ability of a company to ensure that data is secure. Amongst the other findings contained in the report was that many organizations still struggle to maintain visibility of their environments and quickly address potential issues related to cyber-attacks or other unauthorized access to data. Hackers may only need minutes on a network to launch a successful attack, however, 57% of respondents said that detecting new devices connecting to their organization’s network can take weeks, months or even longer.
Impactful and widespread cybersecurity
Tripwire’s Erlin stressed that to be successful, organization’s need to get the cyber security basics right first and that the cyber hygiene approach can help.
“When cyberattacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case. Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the [cyber security] basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment.”
Conclusions about organizational approach to cyber security basics
The report concluded that most organizations implement good basic protections around administrative privileges. But this should be a basic safeguard. These controls should be in place at more organizations. 31% of organizations still do not require default passwords to be changed, and 41% still don’t use multifactor authentication for accessing administrative accounts.
It appears that for many organizations there is still a lot of work to be done in order to ensure that good cyber hygiene is at the core of their efforts to protect their data, systems and networks. The first step should be to take heed of the guidelines issued by parties such as the Center for Internet Security (CIS) or the Defense Information Systems Agency (DISA). These organizations play a leading role in providing information that can be used to build a framework that demonstrates a robust approach to Cyber Hygiene.
