ONl a third of organisations confident of avoiding a data breach

Balbix Inc., provider of the security industry’s first system built for avoiding breaches, has released a report based on Ponemon Institute research evaluating the state of vulnerability and risk management in enterprise environments.

  • 5 years ago Posted in
Ponemon surveyed 600+ cybersecurity leaders and professionals involved in the evaluation, selection and/or implementation of IT security solutions. The results reveal that the vast majority of organizations are not confident in their ability to avoid major data breaches like Equifax or Marriott, and are specifically struggling with vulnerability management to avoid breaches through unseen or unpatched systems.

 

“From this research, it is clear that most enterprises recognize not only are they under-resourced in finding and managing their vulnerabilities, but they also have gaps around assessing the risk and getting full visibility across their IT assets,” said Larry Ponemon, founder and chairman of Ponemon Institute, “which no doubt led to that low confidence vote in their ability to avoid a data breach.”

 

According to the findings, too many organizations are struggling to maintain adequate cybersecurity posture and avoid breaches.  A key challenge noted is an inability to keep up with basic software vulnerability mitigation and patching – a fundamental but key component of security posture.  Key data points include:

 

  • 68% feel that staffing is not adequate for a strong cybersecurity posture
  • Only 15% say their patching efforts are highly effective

 

The low levels of confidence found in the research is in large part because security teams cannot properly resource the management of vulnerabilities – both identifying and patching. This situation has become acute in vulnerability management because of the sheer volume of alerts for unpatched systems:

 

  • 67% feel they do not have the time and resources to mitigate all vulnerabilities in order to avoid a data breach
  • 63% say “inability to act on the large number of resulting alerts and actions” is problematic

 

The result of this mismatch between alert volumes and limited resourcing is postponed patching, no prioritization of actions and a resulting weaker cybersecurity posture:

 

  • 69% scan just 1x/month or even less frequently
  • 49% scan only quarterly or on ad hoc basis
  • 49% said their organization does complete up-to-date patching

 

When asked how they would like the industry to improve and innovate in vulnerability and risk management, respondents – especially those rated as “high performing organizations” – consistently cited requests for these additional capabilities not found in traditional solutions:

 

  • Automatically discover unmanaged assets (70%)  
  • Analyze vulnerabilities in IoT, BYOD and third-party systems (64%)
  • Analyze both unpatched systems and other attack vectors (60%)
  • Receive a risk-based and prioritized list of actions (56%)
  • Receive prescriptive fixes per recommended action (52%)

 

“We are not surprised by these findings from Ponemon Institute’s research,” said Gaurav Banga, founder and CEO of Balbix. “While respondents’ confidence levels in their ability to avoid a breach is obviously troubling, it is clear that most understand the reasons why -- alert volume, limited team resources, lack of visibility across assets, and very limited contextual risk. On the positive side, respondents cite a clear list of capabilities that can help them better see and manage their vulnerabilities, which will eventually improve their overall security posture.”

Digitalisation World | 500

500

Internal Server Error

Click here to return to Digitalisation World.