Organisations are under a great deal of stress from the number of vulnerabilities and threat alerts they face, according to a new report from Bay Dynamics. Respondents identified an average of 10 vulnerabilities per system, and 79% of security personnel said they felt overwhelmed by the volume of threat alerts.
The pressure comes in part from limited budgets and a lack of staff. However, the study, A Day in the Life of a Cybersecurity Pro, which surveyed over 400 cyber security management personnel, found that “having a lot of money is not always a good thing”. This can be seen in the banking, finance, and insurance industries, where budgets are greater but the security staff felt most overwhelmed.
Pressure on staff
Although mid-sized organisations have fewer systems than larger ones, the study noted that “they also have proportionately smaller budgets and teams”. This makes them “generally less sophisticated when dealing with the deluge of vulnerabilities and patching they are faced with, creating a larger burden for administrative and security staff”.
It adds that, although the majority of these vulnerabilities are duplicates across common operating system platforms and widely-distributed applications, not all systems can be treated in the same way:
While user endpoints may be patched virtually on-demand, physical or virtual production servers must be scheduled to ensure there are no business interruptions. Ensuring all vulnerabilities are appropriately managed and mitigated causes a significant amount of pressure on staff.
Steven Grossman, vice president of strategy at the US-based Bay Dynamics, told SC Magazine that the report “highlights how overwhelmed companies are in protecting themselves – very large enterprises by the sheer volume, medium sized companies by lack of resources”.
Grossman also said that many organisations are grappling with threat alerts and patch management. As well as the 79% of security personnel who felt overwhelmed by the volume of threat alerts, the same percentage said they had “a significantly manual patching approval process”.
Your organisation will continue to be bombarded with threat alerts unless you get a full picture of the threats you face and put in place the appropriate remediation solutions. This means you need to conduct a penetration test. There are a number of other advantages of penetration tests, which can help to:
- More intelligently prioritise remediation, apply necessary security patches and allocate security resources more effectively.
- Accurately evaluate your organisation’s ability to protect its networks, applications, endpoints and users from attackers.
- Communicate and evidence the need for a security budget with business managers and non-tech folk.
- Get detailed information on actual, exploitable security threats to identify which vulnerabilities are the most critical, which are less significant and which are false positives.
IT Governance offers two levels of penetration test to meet your budget and technical requirements. Level 1 is a faster and more cost-effective solution, while Level 2 is a more detailed test that aims to identify methods a criminal hacker could use to gain control of your system.