Tripwire examined how organisations are implementing security controls that the Center for Internet Security (CIS) refers to as "Cyber Hygiene." The survey found that almost two-thirds of the organisations admit they do not use hardening benchmarks, like CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.
“These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organisations experience," said Tim Erlin, vice president of product management and strategy at Tripwire. "It's surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward."
Tripwire's State of Cyber Hygiene report explores how organisations are implementing cybersecurity practices related to network visibility, vulnerability management, configuration management, administrative privileges and logging.
Other key findings in the report include:
"When cyberattacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case," said Erlin. "Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment."