Survey: 75 percent of companies have significant risk exposure

More than 400 security pros from companies of all sizes in 61 countries completed self-assessment tests against NIST Cybersecurity Framework for RSA's Cybersecurity Poverty Index.

Vulnerability enables downgrading of MySQL SSL/TLS connections
Vulnerability enables downgrading of MySQL SSL/TLS connections

A misallocation of resources may account for nearly 75 percent of the respondents in RSA's inaugural Cybersecurity Poverty Index believing that their companies have significant cyber-security risk exposure, results of the survey indicated. 

The index was compiled from the results of self-assessment tests completed by more than 400 security professionals from organisations of all sizes spanning 61 countries with respondents instructed to rate their organisation's capabilities on a five-point scale. Participants were asked how they felt about the maturity of their cyber-security programmes using the NIST Cybersecurity framework as a measuring stick.

According to the report, sponsored by EMC2, companies are still prioritising protection over detection despite the fact that preventative capabilities alone are fundamentally incapable of stopping today's cyber-threats.

“They're following the doctrine of ‘I can prevent attackers from getting that initial foothold' on their networks,” Rob Sadowski, director of technology solutions at RSA, told SCMagazine.com. He explained that companies need to invest more into detection and response technologies so they would gain more visibility of what's going on in their networks to spot suspicious activity.

Cloud services and third party applications have opened networks more and made it easier for an attacker to infiltrate them, he added.

“We're living in a world where compromise is inevitable,” Sadowski said. “An employee might respond to aphishing email or an attacker may gain access to somebody's username and password, but just because an attacker gets into your network doesn't mean they have accomplished their goal.”

Companies need to focus on catching incursions before an attacker has had an opportunity to exploit those weaknesses, he said.  Of those surveyed, only 28 percent felt their companies had mature capabilities for incident response and recovery.

The survey also found that 83 percent of respondents who worked for organisations with 10,000 or more employees do not believe their companies are mature in their risks and security practices, which Sadowski said was due in large part to bigger organisations having the resources to gain a better understanding of their threat landscape as well as their shortfalls.

Forty-five percent of professionals surveyed said their organisations lack the ability to measure, asses and mitigate cyber-security risks, which Sadowski attributed to companies not understanding where they should focus security resources.

“You want to use risk as a lens to prioritise what your valuable assets are and where they're vulnerable,” Sadowski said. “If you don't understand your risks then you don't have the foundation to manage your assets.

Nearly two-thirds of those surveyed said their organisations were "inadequate" in every category from identity, protection and detection to response and recovery. There were bright spots, though, that highlighted positive practices by some companies. The most developed area was identity and access management (IAM) with 38 percent of respondents claiming that their companies have mastered the capability.

“Organisations are recognising identity as one of the most important control points,” Sadowski said. “Though there is still a lot of room for growth, I think the results can be a wakeup call for organisations and help shine a light on where they need to be investing resources.”