The key findings in the report point to outdated approaches to security and a lack of advanced solutions to limit the carte blanche access granted to employees and third parties under older network security models. The survey also indicates that insider threats caused the most actual harm or damage to information security (61%), not outside threats.
VPNs still Dominant Form of Network Access Control:
91% of respondents shared that VPNs are still the main form of security for controlling network access, despite the fact that VPN technology was created almost 20 years ago.
A majority (51%) noted that their access control technology was greater than three years old, and 11% said it was more than 10 years old.
Host IPS, next-gen firewalls, identity management solutions and vulnerability assessment all followed the two leading solutions, but were only being used by between 24-30% of the organizations for the purpose of access control.
Exactly half said that their network access/firewall rules were static.
Only 21% of companies rely on attribute-based controls to secure access; most rely on authentication (93%) and session authorization (46%).
Perceived vs. Actual Risk
The survey also revealed that malicious external user actions (hacking) were perceived as the greatest security risk to an organization (66%), followed closely by user mistakes/accidents (56%).
But upon reviewing the threats that had caused the most actual harm or damage to organizations in the last 12 months, 61% noted user mistakes/accidents, and only 46% noted malicious external user actions.
While outsiders often are the ones attacking an organization, they must find a point of vulnerability in order to actually create a breach and cause damage.
Who Owns Policy Control:
48% of respondents concluded that the main controllers of policy were their IT departments.
36% said information security.
12% said compliance or risk management.
Only 3% identified business owners as policy control managers.
More than half of companies (52%) have not reviewed their access policies in over a year.
42% of companies can’t or don’t automatically enforce security policies.
Surprisingly, 45% of respondents said their security budget had not increased, despite recent high-profile breaches. An additional 21% said it had not increased, but they expected it would in the next 12 months.
“It’s remarkable that many organizations are still utilizing network security technologies developed in the nineties – a time when the Internet was still in its infancy,” said Kurt Mueffelmann, president and CEO for Cryptzone. “The cyber attacks we have seen over the last few years, have demonstrated that it’s far too easy for hackers to steal user credentials, and then use those credentials to traverse the enterprise network in search of the most valuable data. Organizations need to accept that outdated access control technologies are not working against today’s sophisticated adversaries. The default position should be to make your infrastructure invisible, and then grant access on a case by case basis, only after user identity, posture and context have been validated. Organizations must stop giving out the keys to the kingdom when it comes to privileged user, third party and employee access.”