New research released today from Automox, a cloud-native cyber hygiene platform provider, in partnership with AimPoint Group has uncovered that less than 50 percent of organizations can patch vulnerable systems swiftly enough to protect against critical threats and zero-day attacks, and 81 percent have suffered at least one data breach in the last two years.
The research, titled The 2020 Cyber Hygiene Report: What You Need to Know Now, surveyed 560 IT operations and security professionals at enterprises with between 500 and 25,000 employees, across more than 15 industries to benchmark the state of endpoint patching and hardening. While most enterprises want to prioritize patching and endpoint hardening, they are inhibited by the pace of digital transformation and modern workforce evolution, citing difficulty in patching systems belonging to mobile employees and remote offices, inefficient patch testing, lack of visibility into endpoints, and insufficient staffing in SecOps and IT operations to successfully do so.
Missing Patches and Configurations are at the Center of Data Breaches
The 2020 Cyber Hygiene Report confirmed that four out of five organizations have suffered at least one data breach in the last two years. When asked about the root causes, respondents placed phishing attacks (36%) at the top of the list, followed by:
- Missing operating systems patches (30%)
- Missing application patches (28%)
- Operating system misconfigurations (27%)
With missing patches and configurations cited more frequently than such high-profile issues as insider threats (26%), credential theft (22%), and brute force attacks (17%), three of the four most common issues can be addressed simply with better cyber hygiene.
Enterprises Are Not Patching Fast Enough, Especially When it Comes to Zero-Days
When critical vulnerabilities are discovered, cybercriminals can typically weaponize them within seven days. To ensure protection from the attacks that inevitably follow, security experts recommend that enterprises patch and harden all vulnerable systems within 72 hours. Zero-day attacks, which emerge with no warning, pose an even greater challenge, and enterprises should aim to patch and harden vulnerable systems within 24 hours. Currently:
- Less than 50% of enterprises can meet the 72-hour standard and only about 20% can match the 24-hour threshold for zero-days.
- 59 percent agree that zero-day threats are a major issue for their organization because their processes and tools do not enable them to respond quickly enough.
- Only 39% strongly agree that their organizations can respond fast enough to critical and high severity vulnerabilities to remediate successfully.
- 15 percent of systems remained unpatched after 30 days.
- Almost 60% harden desktops, laptops and servers only monthly or annually, which is an invitation to adversaries.
With cyber hygiene, endpoints need to be scanned and assessed on a regular basis, and if problems are found, promptly patched or reconfigured. Automation dramatically speeds up cyber hygiene processes by enabling IT operations and SecOps staff to patch and harden more systems with less effort, while reducing the amount of system and application downtime needed for patching and hardening. Organizations that have fully automated endpoint patching and hardening are outperforming others in basic cyber hygiene tasks.
The Modern Workforce Presents a Cyber Hygiene Dilemma
Survey respondents are more confident in their ability to maintain cyber hygiene for on-premises computers and servers compared with remote and mobile systems such as servers on infrastructure as a Service (IaaS) cloud platforms, mobile devices (smartphones and tablets), and computers at remote locations. In fact, they rated their ability to maintain cyber hygiene for Bring Your Own Device (BYOD) lowest among all other IT components.
These patterns can be explained by the fact that most existing patch management tools don’t work well with cloud-based endpoints, and that virtual systems are very dynamic and therefore harder to monitor and protect than physical ones.
“We are unquestionably in the midst of a major patching dilemma which is getting increasingly worse by the day as the number of enterprise endpoints – and the typical enterprise attack surface – is growing at unprecedented rates and making it nearly impossible for organizations to keep up,” said Automox CEO Jay Prassl.
“Our 2020 Cyber Hygiene Report shows a very strong correlation between automation and the ability to patch endpoints faster and proactively harden them more frequently than typical legacy systems allow. Organizations that prioritize cyber hygiene through these methods reduce risk across the enterprise, lower IT costs, and accelerate their business transformation.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.