These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience. It's surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward.For the report, Tripwire surveyed 306 IT security professionals in July 2018 in partnership with Dimensional Research to examine how organizations are implementing security controls that the Center for Internet Security (CIS) refers to as "Cyber Hygiene." Specifically, Tripwire's State of Cyber Hygiene explored how organizations are implementing security practices related to network visibility, vulnerability management, configuration management, administrative privileges and logging. Given the lacking adoption of the CIS Controls and other hardening benchmarks, it’s not surprising the survey found that organizations were falling short in many of those key areas identified above, as well:
- More than half (57 percent) of respondents said it takes hours, weeks, months or longer to detect new devices connecting to their organization’s network.
- Forty percent of organizations are not scanning for vulnerabilities weekly or on a more frequent basis. Only half run the more comprehensive authenticated scans.
- A majority (54 percent) of respondents said their organizations are not collecting logs from all critical systems and storing them in a central location.
- Forty-one percent of IT security pros said their organizations still don't use multi-factor authentication for administrative account access.
When cyberattacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case. Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment.Even then, agency does factor into this equation. That is to say, it’s not enough to just implement the controls. It’s how organizations implement them that can shape the strength of their digital defenses. If they go it alone, enterprises might only partially implement certain controls, thereby leaving themselves exposed. That’s why organizations should look into a solution that integrates with the CIS Controls automatically. Learn how Tripwire does this by clicking here. To view the full State of Cyber Hygiene report, please click here.