New Security Survey Finds Differing Confidence Levels Surrounding Basic Controls

The vast majority of IT professionals and executives are confident in their organization’s implementation of basic foundational security controls, according to a new survey. But in a more disturbing finding, less than half of those queried are confident in the secure configuration of common devices connected to their network, even though targeted cyber attacks are on the rise.

The survey was conducted by Atomik Research in conjunction with Tripwire, a provider of advanced threat, security and compliance solutions. Findings centered on the confidence levels of those queried related to the security of their own networks and associated devices. And despite more than 100 million records being compromised in retail data breaches over the past year, 77 percent of retail IT workers were confident all the devices on their networks were running only authorized software.

A whopping 89 percent of executives in the energy industry were fairly confident or very confident in their vulnerability management programs, even though warnings have been issued concerning a sophisticated malware campaign targeting incident command systems (ICS).

"It's not surprising that IT and security professionals have confidence in foundational security controls,” said Jane Holl Lute, president and CEO of the Council on CyberSecurity. “The controls are instrumental in defending against common cyber attacks and lay the foundation for effective defense against more sophisticated intrusions. But to be effective they must be implemented consistently across the entire enterprise."

However, when it comes to secure configuration of routers, firewalls and modems connected to their networks, only 47 percent of IT professionals said they were confident with their setups. And only 10 percent of security professionals were very confident in their patch management programs, which is a bit worrying considering how important they are to fundamental security controls.

"This survey clearly shows the disconnect between the executive branch and the IT branch and the false sense of security within a typical organization,” said Amar Singh, chair of ISACA UK SAG and founder of the Cyber Management Alliance. “This, in my opinion, false level of confidence may stem from several factors including the false belief that if no breach has been discovered 'we must be secure'."