Two-Thirds of Organizations Don’t Use Hardening Benchmarks to Establish a Secure Baseline, Report Reveals

The Center for Internet Security’s Critical Security Controls (“the CIS Controls”) are incredibly useful in helping organizations defend themselves against digital threats. By adopting the first five controls alone, it’s possible for companies to prevent 85 percent of attacks. Adopting all 20 controls can prevent as much as 97 percent of attacks. Unfortunately, a majority of organizations still haven't implemented industry standards like the CIS Controls into their security strategies. That’s one of the findings from Tripwire’s State of Cyber Hygiene report. The survey found that two-thirds of organizations do not use hardening benchmarks like CIS or Defense Information Systems Agency (DISA) guidelines to establish a secure baseline. Tim Erlin, vice president of product management and strategy at Tripwire, said this finding wasn’t expected:

These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience. It's surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward.

For the report, Tripwire surveyed 306 IT security professionals in July 2018 in partnership with Dimensional Research to examine how organizations are implementing security controls that the Center for Internet Security (CIS) refers to as "Cyber Hygiene." Specifically, Tripwire's State of Cyber Hygiene explored how organizations are implementing security practices related to network visibility, vulnerability management, configuration management, administrative privileges and logging. Given the lacking adoption of the CIS Controls and other hardening benchmarks, it’s not surprising the survey found that organizations were falling short in many of those key areas identified above, as well:

• More than half (57 percent) of respondents said it takes hours, weeks, months or longer to detect new devices connecting to their organization’s network.
• Forty percent of organizations are not scanning for vulnerabilities weekly or on a more frequent basis. Only half run the more comprehensive authenticated scans.
• A majority (54 percent) of respondents said their organizations are not collecting logs from all critical systems and storing them in a central location.
• Forty-one percent of IT security pros said their organizations still don't use multi-factor authentication for administrative account access.

Organizations can close these defensive gaps. Here are Erlin’s thoughts on the matter:

When cyberattacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case. Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment.

Even then, agency does factor into this equation. That is to say, it’s not enough to just implement the controls. It’s how organizations implement them that can shape the strength of their digital defenses. If they go it alone, enterprises might only partially implement certain controls, thereby leaving themselves exposed. That’s why organizations should look into a solution that integrates with the CIS Controls automatically. Learn how Tripwire does this by clicking here. To view the full State of Cyber Hygiene report, please click here.