- Security TWENTY Home
- Women in Security Awards
Organisations are failing to implement the most basic security practices to keep their networks safe and data secure, according to a Managed Security Service provider. The cyber service company SecureLink says that from its assessments of 100 organisations, 68pc were discovered not encrypting sensitive data, despite the fact that access to this capability is now widely available.
While over half, 55pc of organisations have URL filtering systems in place at a mature level, only one in five, 22pc have protection against “zero day” malware. In addition, half, 51pc have either limited or no capability to inspect SSL/TLS encrypted web traffic entering or leaving their network so are missing opportunities to reduce the likelihood of malware entering their networks via users’ web browsers. AOnly 11pc of organisations had deployed a fully mature SIEM based infrastructure monitoring system, while more than half, 55pc have no capability in this area. This means that events and notifications from the myriad sources on the network are either not being correlated with other events in any way, or are being completely discarded.
Whilst security maturity is a journey, and takes time, these results suggest some security leaders are taking too long and, as a result, missing opportunities to improve the chances of preventing breaches and infections, according to SecureLink. Most, 85pc of those assessed were found to maintain segmented networks – a long standing rule of network design best practice. Also, when it comes to securing wireless networks, more than 88% of organisations have mature models in place. This is something that has been critical in the support of BYOD, guest and mobile working.
SecureLink’s Group CISO – Richard Jones said: “The threat landscape is changing at an unprecedented pace, and what was once considered ‘theoretically unlikely’ risks are today’s reality. Against this we’ve also seen an increase in disruption in the last twelve months than in the previous 10 years combined. High impact risks continue to increase in frequency, forcing all of us to become better at protecting our assets and devising creative solutions that will mitigate these risks.”
The results are based on anonymised and randomised Security Maturity Assessments, by SecureLink, which provides a structured and quantitative approach to the measurement of security maturity. Of the two main datasets, the first focuses on people, process and technology: the three critical elements of cybersecurity. The second focuses on prevention, detection and response actions. From these datasets, the strengths and challenges presented can be considered and appropriate paths to improved security maturity can be determined, the cyber company says.
It has published its findings in a whitepaper, ‘SecureLink 2017 Security Maturity Insight Report’: https://securelink.co.uk/sma/insight-report/.
Richard says: “Employers, holders and processors of data need to become more agile, more aware of the challenges and more cognisant of the speed at which malware authors and hackers develop. There is an abundance of “low hanging fruit” for malicious actors, whether via social engineering of poorly-trained users, slipping attachments past perimeter gateways or simply not having to even bother to decrypt stolen data. These issues must be addressed quickly. And many big steps forward are simple to take. After all, paradoxically, what is easiest for a hacker to steal is often that which is easiest to protect. A well configured and monitored technology-context environment provides a good starting point to any security strategy, and is relatively easy to put in place.”