Despite the recent stream of headline-dominating cyber attack raising the awareness of cyber security, business are letting themselves down by continuing to fall short in the enforcement of security best practices.
That is the main finding of the 10th annual CyberArk Global Advanced Threat Landscape Survey, which examined whether enterprises are learning and applying lessons from high-profile cyber attacks.
The study found that, although 82 per cent of respondents believe progress is being made in the battle against cyber attacks, those gains are being undercut by below-par security practices in critical areas such as privileged account security, third-party vendor access and cloud computing.
And the stats clearly demonstrate this trend. 79 per cent of responded said that their organisation has learned lessons from major cyber attacks and over two-thirds (67 per cent) now believe their CEO/board of directors provide “sound cyber security leadership,” up from 57 per cent in 2015. Furthermore, this increased awareness has resulted in improvements in malware detection (25 per cent), endpoint security (24 per cent) and security analytics (16 per cent).
However, 40 per cent of organisations still store privileged and admin passwords in a Word document or spreadsheet and 49 per cent allow third-party vendors remote access to their internal networks.
The good news is that businesses are increasingly adopting a “post-breach mindset” to improve their response to a potential cyber attack. For example, 95 per cent of respondents said their organisation now has a cyber security emergency response plan and 75 per cent now believe they can prevent attackers from breaking into their internal network.
The flip side, again, is that overconfidence is a concern. The increased level of preparedness is being undermined by a lack of communication and testing, regularly carried out by less than half (45 per cent) of respondents. 36 per cent believe a cyber attacker is currently on their network or has been in the last 12 months and 46 per cent believe their organisation has been the victim of a ransomware attack in the last two years.
“The findings of this year’s Global Advanced Threat Landscape Survey demonstrate that cyber security awareness doesn’t always equate to being secure. Organisations undermine their own efforts by failing to enforce well-known security best practices around potential vulnerabilities associated with privileged accounts, third-party vendor access and data stored in the cloud,” said John Worrall, CMO, CyberArk.
“There’s a fine line between preparedness and overconfidence. The majority of cyber attacks are a result of poor security hygiene – organisations can’t lose sight of the broader security picture while trying to secure against the threat du jour.”