The Ivanti Threat Thursday Update for July 27, 2017: Surveys Say…

Greetings. This week, several recent surveys offer both sobering findings and pointed guidance for all seeking better cybersecurity for their enterprises. Read on, and please feel free to let me know what you think, about current cybersecurity events and/or this Ivanti Threat Thursday Update. Thanks in advance.

Survey: You’re Not as Secure as You Think

For its fourth annual Data Security Confidence Index, digital security vendor Gemalto commissioned researchers at Vanson Bourne to survey more than 1,000 IT decision makers from around the world. The results indicate significant gaps between perception and reality where cybersecurity is concerned.

  • Despite 76 percent of respondents reporting increased perimeter security investments, 68 percent believe unauthorized users could access their networks, and 28 percent reported at least one perimeter breach in the 12 months preceding the survey.
  • Despite 65 percent expressing doubt that their data would remain secure if their networks were breached, only 8 percent of the data exposed by those breaches was encrypted.

What We Say: Threats continue to become more sophisticated, and enterprise networks more distributed and diverse. Perimeter defenses must be augmented by multi-layered detection, protection, and remediation solutions and processes. And those efforts at defense in depth should be tested and reported on regularly. Not only to prove effectiveness, but for compliance, and to gain acceptance and funding from executives for additional security efforts.

Users should also be tested regularly, to raise and maintain awareness of phishing and social engineering challenges. (See “Endpoint Security Evolves: The Rise of the Personal Perimeter.”)

Survey: If It’s Security Versus Productivity, Productivity Wins

Information Security (IS) Buzz News reported on a survey of 175 security professionals conducted at the InfoSecurity Europe conference. The findings indicate that users often view security as hobbling their productivity, and force security teams to suspend security measures to overcome those perceived limitations.

  • 94 percent of respondents “say users are more concerned with getting their jobs done than worrying about security.”
  • 64 percent of respondents “admit to modifying security to allow employees more freedom to get their work done because of a request from leadership.”
  • 40 percent of respondents “admit to turning security off to accommodate a request” from another part of the enterprise.

What We Say: Effective cybersecurity is exactly like every other critical IT-enabled service in one critical way. If users perceive an IT service or cybersecurity measure as an impediment to their productivity, they will demand its removal or find a way to work around it. IT and cybersecurity leaders and teams must ensure that defense in depth is implemented in ways that enhance, not limit productivity. Those leaders and teams must also work diligently to persuade users that better security and higher productivity can and do go hand in hand. (See “Three Things You Can Do Now to Increase User Contributions to Cybersecurity at Your Enterprise.”)

Survey: A Disturbing Aftermath for WannaCry

Software lifecycle automation solution provider 1e announced results from a survey of 400 IT professionals it conducted in the wake of the WannaCry ransomware attack. Most respondents were not ready for the attack, and while many say they are now better prepared to deal with such threats, few report getting more resources to do so.

  • 86 percent of respondents “had to take preventative measures to safeguard themselves” against WannaCry.
  • 48 percent of respondents spent between one day and one week implementing those safeguards, while 23 percent spent one to four weeks doing so.
  • 86 percent of respondents “don’t or can’t rollout security updates immediately”; 23 percent take four weeks or more to deploy patches after they are released.
  • 71 percent of all respondents, and 86 percent of those infected by WannaCry, plan to make greater effort to keep their environments up to date. However, 73 percent said their management has made no additional resources available to do so.

What We Say: Respected bodies worldwide, including the Center for Internet Security (CIS), the Australian Signals Directorate (ASD), the International Organisation for Standardization (ISO), and the National Cyber Security Centre (NCSC) of the UK agree. Timely patching of operating systems and applications, along with effective control of applications, devices, and admin rights, can rapidly and dramatically improve an enterprise’s security posture. Effective cybersecurity at many organizations starts with timely, comprehensive patch deployment and management. (See “Beyond WannaCrypt/WannaCry: Wanna Know What’s Next?”)

Fighting Hackers with Cybersecurity Boot Camps and Possible Tax Breaks

Summer camp is all about cybersecurity for high-school students across the U.S. this year. “CyberPatriot camp” is “a weeklong national program first conceived by the Air Force Association (AFA) in 2014.” As reported by The Press Democrat, the program is “funded largely by donations from security and defense contractors such as Northrup Grumman and Boeing.” Support also comes from “communications giants AT&T and Cisco, and such conspicuous companies as Facebook and MasterCard, along with the U.S. Department of Homeland Security.” “The idea is that students will learn to prevent hacking—acting as administrators to control access, and protect and harden systems to ward off outside threats.”

Meanwhile, three members of the U.S. House of Representatives introduced a bill intended to grow the country’s cybersecurity workforce. As reported by The Hill, the “New Collar Act” would provide tax breaks to employers that offer cybersecurity training, student debt relief for cybersecurity job takers, and increased funding for a cyber scholarship program.

What We Say: Education in science, technology, engineering, and mathematics (STEM) and cybersecurity can benefit individuals, enterprises, and entire regions. Programs such as the one operated by the AFA provide opportunities for governments, educational institutions, and public and private enterprises to collaborate and join forces to encourage and support more such education. Enterprises should identify and pursue opportunities to increase availability of STEM and cybersecurity education and training, within their own organizations and in the communities where they do business. (See the Ivanti.com “Community Involvement” page for more information.) 

Protect and Defend Your Enterprise with Ivanti

Ivanti cybersecurity solutions can help you improve patch management; gain control over applications, user devices, and admin rights; fight ransomware and other malware; and even shorten user logon times. And right now, you can combine select Ivanti cybersecurity solutions at discounts of up to 30 percent. Check out the offer details, as well as the free trials of Ivanti patch management solutions we offer. And keep reading our Patch Tuesday and Threat Thursday updates, so we can help keep you up to date on threats to your network and your business.