The study, The impact of exploitable misconfigurations on network security, finds that network professionals feel confident with their security and compliance practices but data suggests that they also leave their organizations open to risk, which is costing a significant amount of revenue. In addition, some businesses are not minimizing their attack surface effectively. Companies are prioritizing firewall security and chronicle a fast time to respond to misconfigurations when detected in annual audits. However, switches and routers are only included in 4% of audits and these devices play a vital role in reducing an organization’s attack surface and preventing lateral movement across the network.
Respondents also indicated that financial resources allocated to mitigating network configuration, which currently stands around 3.4% of the total IT budget, and a lack of accurate automation are limiting factors in misconfiguration risk management.
Specifically, the study, which surveyed 160 senior cybersecurity decision-makers across the U.S. Military, Federal Government, Oil and Gas, Telecoms, and Financial Services sectors, revealed:
· Misconfigurations cost organizations millions. Organizations stated that misconfigurations cost an average of 9% of their annual revenue but the true cost is likely to be higher. The good news is one-third find fewer than 50 per year, but the majority are only auditing their devices annually. This means that misconfigurations, including ones that could pose a critical risk to security, could reside on the network for months, even years, between audits – leaving the business vulnerable to attacks. And while budgets are increasing annually, this has little to no impact on the volume of critical misconfigurations detected on networks.
· Compliance is a top priority. 75% of organizations across all sectors said their business relies on compliance to deliver security. Almost every organization reported that it is meeting its security and compliance requirements. This is, however, at odds with a number of the other findings from the survey and other reports that show a decline in organizations maintaining full compliance with regulated data security standards. For example, a recent report by Verizon showed that only 27.9% of global organizations maintained full compliance with PCI DSS in 2019; a decline for the third year in a row.
· Remediation prioritization is a challenge. Three quarters (75%) said their network security tools meant they could categorize and prioritize compliance risks ‘very effectively’. However, 70% report difficulties prioritizing remediation based on risk and also claim inaccurate automation as the top challenges when meeting security and compliance requirements.
· Routers and switches are mostly overlooked. Most organizations (96%) prioritize the configuration and auditing of firewalls, but not routers or switches. This leaves these devices exposed to potentially significant and unidentified risks. Only 4% assess switches and routers as well as firewalls, which according to Zero Trust best practices, is essential when preventing lateral movement across networks.
“What’s clear from this research is that misconfiguration risks are impacting the bottom line. Senior network professionals are prioritizing compliance and feeling confident about network security but delivering on it at scale and continuously is a major challenge,” said Phil Lewis, CEO of Titania.
“80% of network traffic is inside the perimeter and security best practices are evolving to reflect the fact that protecting the perimeter of each network segment is important, but it’s equally important to check device security within the perimeter to mitigate insider threats from software, people, and traffic” continued Lewis. “If organizations want to minimize their attack surface effectively, they need to increase the cadence of risk assessments and remediation of all network devices. This is in line with a core tenant of Zero Trust security best practice, which is to verify, rather than trust that devices are secure, every day. To really minimize their risks and adhere to increasingly stringent compliance standards, then adopting a Zero Trust mindset will help companies develop a much more robust approach to network security.”