How Does Your ASD Maturity Compare to the Market?
As we come to the end of our annual ANZ Interchange unplugged conferences, a big thank you to all the customers and partners who took the time to come listen and interact with us.
We were lucky to have most of our senior executive team here including Steve Daly our CEO, Steve Morton our CMO, Tom Davis our CTO, and Duane Newman our VP for product management. Customers were able to interact with the leadership team, give feedback, and ask questions. You do not get that with many global software vendors!
Cyber Security Survey
As part of the Interchange conferences, we held an anonymous cyber security survey. The survey was designed to provide insight on responding organizations' maturity levels against the ASD top 4 and their journey to the ASD essential 8.
Winding back a moment, for those not aware, the ASD (Australian Signals Directorate) has 4 cyber threat mitigation strategies that—when implemented—will mitigate 85% of targeted cyber threats.
ASD also provides a maturity model for organizations to use on their journey to improve their security posture. This maturity model helps organizations have goals and stepping stones for improvement.
The model has 5 maturity levels for each of the ASD essential 8 security controls, targeted at server and workstation environments.
- Maturity Level Zero: Not aligned with intent of mitigation strategy
- Maturity Level One: Partly aligned with intent of mitigation strategy
- Maturity Level Two: Mostly aligned with intent of mitigation strategy
- Maturity Level Three: Fully aligned with intent of mitigation strategy
- Maturity Level Four: For higher risk environments.
As a baseline, the ASD recommends that organizations should aim to be level 3 on the maturity scale, with high risk environments aiming for level 4.
At Ivanti we talk a lot about the ASD frameworks. After all, these these experts know what they are talking about.
What were the results?
For application whitelisting, half the respondents said their ASD maturity level for whitelisting was 0; we don’t do it. As the ASD number 1 cyber threat mitigation strategy, that’s huge! But to be honest, based on my conversations with customers, that did not surprise me.
I also believe the 25% who are maturity level three may come down to the fact that this data is coming from Ivanti customers who already use our Application Control whitelisting technology or the figures may have been lower.
*Maturity levels are 0 – 4 from top to bottom for all charts
When asked about patching the OS, 65% were only at maturity level 0 or 1, and this one did surprise me. With technologies such as SCCM and WSUS being so widely used, I expected patching the OS to be more tightly managed. What’s the reason it takes so long to patch the OS? Change control? Fear of breaking something? People don’t think it’s important?
For patching of third party applications, 36% only made it to level 0 and a further 36% only made it to level 1. With third party application being responsible for such a large proportion of identified vulnerabilities, this highlights a real risk and a door organisations are leaving wide open to be exploited.
When looking at admin privileges almost 60% of people were only maturity level 0 or 1. Looking at the notifiable data breach Q2 report, it shows that 77% of malicious breaches were caused by compromised credentials this highlights a concern, and a real drive to run a least privilege model.
For the remaining 4 controls from the ASD essential 8, we went a little more overarching and just asked respondents if they were actively aligning to the controls. With spear phishing and malware in macros still being such a common attack type, the fact only 26% of people actively managed macros was another surprise.
As a breakdown of what industry verticals responded, here is the data. What this shows me is even making data anonymous IT people still don’t trust you with 25% not wanting to say their industry vertical.
The Takeaway
The majority of organisations are starting to align themselves to a security framework. This data set does indicate they are still at an early stage of their journey, with some way to go in achieving the recommended baselines from the security experts.
The data backs up what I commonly hear from customers when I speak to them, and little of it was too surprising.
Here at Ivanti, using our security solutions targeted at the ASD top 4, we are able to help our customers improve their security posture and achieve the recommended level 3 maturity. All while improving user satisfaction and productivity, causing little management overhead and in the case of patching, automate the process to save IT time and cost!
For more information visit our ASD top 4 and essential 8 site.