Okta, the leading provider of identity and device management for the cloud and mobile enterprise, today announced the findings of its first Secure Business Agility report. Based on data compiled from surveying 300 IT and security professionals, the report reveals that while most organisations fundamentally believe connecting people to the best technology is vital to business productivity, many struggle to achieve agility due to traditional on-premise security mindsets.
Failing to adapt and upgrade security tools is putting organisations at risk. A shocking 65% of respondents think that a data breach will happen within the next 12 months if they do not upgrade legacy security solutions in time.
“In order to be more productive, organisations worldwide are investing in cloud and mobile technologies, enabling their staff to work from virtually anywhere. But this isn’t enough to ensure true agility. As organisations become increasingly connected, the traditional idea of the enterprise network boundary is vanishing and businesses need to prioritise strong security,” said David Baker, Chief Security Officer at Okta. “To successfully navigate the new perimeter and avoid compromising on security and productivity, IT leaders need to adopt tools that span traditional company and network boundaries and enable agility across the organisation.”
Key findings include:
Organisations are unsure if security is enabling or compromising productivity and agility: When asked if security measures compromised or enabled productivity in their organisation, respondents’ opinions were mixed. Just over half (52%) said that their current security solutions compromise productivity, while 48% believe their security measures enable the organisation to adopt best of breed solutions that enable productivity and agility.
Visibility into application usage is limited: Okta’s research shows that 85% of IT leaders suffer from a lack of insight over who has access to applications within their organisation. Even more worrying, 80% of respondents pointed to weak passwords or weak access controls as a security issue.
Investing in new mobile, automation, and cloud technologies is paying dividends for organisations: 92% of respondents believe their organisation could do more to integrate and support cloud applications into their infrastructure and systems. This reveals a massive opportunity for IT teams to further drive agility and productivity, and the chance to drive this percentage down.
Commenting on the report, Richard Meeus, VP of technology EMEA at NSFOCUS IB said “Attacks will happen. It is no longer a case of if, but, when. Whether it will be a massive breach that is widely reported or a small attack that takes a business offline, the options open to attackers are manifold. Security and productivity often make strange bedfellows. Both are integral to the business but both can have negative effects on the other if implemented without due care and understanding. Often security measures are knee-jerk reactions to breaches or media fanfare and in these cases they are often no more than just a plaster as opposed to curing the problem. This is when it will harm productivity and users become frustrated. Having a defined security policy and working with trusted partners helps organisations to deploy effective security seamlessly.”
The Guru reached out to several other security experts to get their thoughts on the findings. Javvad Malik, security advocate at AlienVault said “Preventing security breaches is a bit like Zeno’s dichotomy paradox. In that it is a constant and ongoing process, which at best you only achieve 50%. While updating legacy systems and implementing good security practices while working towards a better security culture are vitally important, there’s always a chance that an incident will occur. To that point, the fact that 65% of leaders expect to experience a breach is completely understandable. However, security doesn’t stop when a breach occurs. One could argue that detecting the breach and responding is where the real security effort takes place and it is where companies need to focus. To quote Mike Tyson, “Everyone has a plan until they are punched in the face.” Enterprise security teams need to prepare themselves like boxers that train themselves to get hit. Everyone gets hit – it’s the timeliness and the method in which they respond that matters the most.”
Philip Lieberman, president of Lieberman Software added “The real statistics are heavily reduced outside the USA due to privacy laws and the lack of a real requirement to report a breach as well as total lack of information sharing. This has led to a catastrophic set up whereby internal security in most companies is horrible or non-existent. Training employees and appropriate policies are ineffective once an organisation grows large because the statistics prove that at least one or more employees will make a mistake and allow an intruder in their environment on a regular basis. You cannot train your way out of statistics and human error.
There are technological solutions to minimise the number of breaches as well as their cost. Most organisations will not use these technologies under the theory that they are not a target, gathering the data would be a violation of law, any attack would be unstoppable (force majeure theory), or they can insure their way out of the problem. The job of the CEO is to understand and manage risk as well as limit consequences. The problem within IT is horrible to a degree far beyond the report’s conclusions.
The culture problem is not with the employees or IT, it is with the CEO and Board of Directors who have not become aware of the risk and solutions to minimise consequences outside of the physical world and in the cyber security space. Training is a mostly ineffective solution for security. It all really comes down to the culture of the senior leadership to lead in cyber security, resiliency and minimising outcomes from each breach to inconsequential numbers.
This is possible and regularly done within the United States among those that cannot suffer unlimited losses or hide from the daily problem. Imagine a day where IT reports daily breaches, losses and consequences, and the leadership keeps their technical team as well as offers the kudos for their hard works keeping things running even with regular breaches. This scenario is opposed to the senior leadership being randomly surprised by IT failures and seeks to discharge anyone reporting bad news. This collaboration exists in the USA, but is rare to non-existent in the rest of the world. Side note: BREXIT may bring this best practice to the UK and make it more competitive than the total security blindness of EU companies.
When we sell our solutions, we would rather not take the money if the company does not have the CEO on board and if the entire company is not ready to fix broken processes and rebuild network/identity boundaries for survivability. The fixes to improve outcomes are inexpensive, quick and reliable, but they only come from the C-Suite because only leadership can break the bad habits and designs of their business units.”
Mark James, security specialist at ESET said “I think keeping up with the current threats and educating users in the type of threats doing the rounds seem to be one of the hardest goals to achieve in the world of malware defence. Malware mutates and adapts so quickly that it’s extremely difficult for any company to be expected to always be on top of it. As long as they take all the relevant measures and ensure they do as much as they can in keeping hardware and software up to date and patched to the latest versions then I believe they are doing all they can.
The problem is that quite often it takes scare tactics to get things moving; explaining worst case scenarios and listing the types of catastrophic events that “could” happen if nothing is done may well be the norm in this current era. The skill sets that a lot of these malware writers have are far superior than the average person using computers so sadly they will always be at risk.
But it’s not all doom and gloom, keeping your hardware (firmware) and software up to date along with practices like periodically reviewing your security policies and changing default passwords will go a long way in helping. A good multi-layered regular updating internet security product at the endpoint and ensuring your perimeter hardware is also protected will make life difficult for the opportunistic malware knocking at your doors.”
Brian Laing, VP at Lastline said “Most organisations recognise that they face a grave cybersecurity threat but have been too slow to react and often their response is piecemeal and tactical. Critical to successfully addressing this challenge is the recognition that the threat is continually evolving to exploit the weakest link in their defences whether that is through employees or systems or both. Achieving improved levels of cybersecurity requires rapid detection and response to attacks which means that organisations must harden their employees as well deploy integrated security solutions that provide security analysts with actionable information rather than drowning them in data.
With this understanding some of the critical improvements in enterprise security can be understood. Success will require acknowledging that employees play a role in the solution and provide them with education and training to ensure they are as vigilant as possible. With respect to security solutions they must then correctly identify threats, provide superior visibility into attacks, allow for immediate remediation throughout the entire enterprise and then provide basic information sharing so that all organisations can gain insights from the challenges they each are facing.”
Michael Callahan, VP at FireMon concluded “I don’t think we’re failing as much as we don’t have enough skilled people and you need to supplant that through automation tools that help you manage the complex environments. Companies are increasingly looking to security management vendors to address both of these concerns. I’m surprised it’s not higher than 65% but maybe it has to do with how you define serious. I think most leaders believe they will experience some sort of breach. We don’t have a technology problem. There are many many security technologies. The issue is how do you effectively manage these solutions in an increasingly complex environment. The answer is to take advantage of security management tools that see the entire infrastructure and can automate change, find risks and simulate the effect of changes.”