LACK OF DILIGENCE BY LARGE ENTERPRISES CAN CREATE VULNERABILITIES

This post was originally published here by (ISC)² Management.

While large enterprises are highly confident in their cybersecurity defenses, a new (ISC)² study suggests they need to be more diligent in a couple of areas – taking action when told about security vulnerabilities and removing privileges for users who no longer need access to systems.

The (ISC)² Securing the Partner Ecosystem study polled respondents from both small businesses and large enterprises. Asked if they’ve alerted enterprise clients to security vulnerabilities they’ve discovered on the enterprise’s systems, 53% of small business respondents said yes. Yet, 35% of large enterprise respondents said nothing is done about these alerts.

In response to a question about access to enterprise partner systems, 55% of small business participants said they’ve found they still have access to a former client’s systems after terminating a contract or project.

Both of these practices pose real dangers. Failing to address vulnerabilities can lead to security breaches and all the problems that come with them – downtime, loss of productivity and revenue, remediation costs and reputational damage. Failing to remove access for third parties after a business relationship ends needlessly adds a threat vector that can also lead to a breach.

Security Practices

The study produced some unexpected findings. For instance, it revealed that small businesses don’t cause as many breaches at large partners as previously assumed. It also showed that enterprises and small businesses employ many of the same cybersecurity best practices to protect their networks.

For instance, 68% of enterprises use automated anti-malware scans; 64% use firewalls to block access to malicious IP addresses; 59% evaluate and report on security incidents; 59% use filters to prevent phishing; 57% encrypt sensitive data; and 54% configure user access for least privilege.

Asked how sure they are that third parties follow the same practices, 94% of enterprise respondents said they are “confident” or “very confident.” This certainty is corroborated by answers from small business respondents to the same question about best practices.

By and large, small businesses prioritize the same best practices – with some variations:

Automatic anti-malware scans                                     71%

Firewalls to block malicious IP addresses                   66%

Strong spam filters to prevent phishing                       62%

Scan incoming and for threats                                     60%

Evaluate and report on security incidents                    48%

Ambivalence About Blame

Although enterprises and small businesses generally agree on how to protect their networks, enterprises showed some ambivalence about whom to blame if a third party causes a breach for them? While 52% would blame the partner, 48% would blame their own company.

In answer to a question with different wording, 69% of enterprise respondents said they would “hold a third party fully responsible for any data leak or breach caused by their mishandling of our company’s data.”

Perhaps the ambivalence results from a self awareness that large enterprises aren’t as diligent as they should be in certain areas. When enterprises are alerted to vulnerabilities, they should address them as quickly as possible. If they fail to do so for whatever reason, and a breach occurs, then it becomes hard to hold anyone else responsible.

Photo:The Merkle Hash