Exploitable misconfigurations cost businesses 9% of their annual revenue on average, although the real cost is probably higher, according to a study commissioned by network security provider Titania and conducted by independent B2B research specialist, Coleman Parkes. 160 CIOs, CTOs, CISOs, COOs, Heads of Networks, Network Security, and Network Operations leaders were surveyed form the study.
According to this study titled ‘The impact of exploitable misconfigurations on network security,’ network professionals are confident in their security and compliance procedures, but evidence reveals that they may also be leaving their firms vulnerable, which may cost them a lot of money.
Additionally, some companies are not successfully reducing their attack surface. Companies prioritize firewall security and keep track of how quickly they can react when misconfigurations are found during yearly audits. Switches and routers, however, are only included in 4 percent of audits – despite the fact that they are essential for minimizing an organization’s attack surface and limiting lateral network movement.
Respondents also said that a lack of precise automation and the financial resources allotted to mitigating network configuration – which presently account for 3.4 percent of the entire IT budget – are limiting factors in misconfiguration risk management.
Routers and Switches Mostly Overlooked
The report specifically polled 160 senior cybersecurity decision-makers from around the U.S. Sectors include the military, federal government, oil and gas, telecommunications, and financial services revealed the following:
Misconfigurations cost organizations millions – Organizations estimated that misconfigurations cost them 9% of annual revenue on average, although the actual cost is probably higher. The good news is that only one-third discover fewer than 50 per year, although most only audit their devices once a year. As a result, between audits, misconfigurations, particularly those that could represent a serious danger to security, could remain on the network for months or even years, leaving the company open to assaults. Additionally, despite expenditures rising yearly, there is little to no change in the number of serious network setup errors found.
Compliance is a top priority – 75% of businesses across all industries claimed that compliance is essential to providing security for their operations. Nearly all organizations claimed that they are fulfilling their security and compliance obligations. The survey’s other findings and other reports, which show a drop in firms maintaining complete compliance with regulatory data security standards, are at contrast with this. For instance, according to a recent Verizon analysis, only 27.9% of all global firms maintained full PCI DSS compliance in 2019 – a reduction for the third consecutive year.
Remediation prioritization is a challenge – Three quarters (75%) stated they could classify and prioritize compliance issues ‘very well’ thanks to their network security tools. To meet security and compliance standards, prioritizing remediation based on risk and inaccurate automation are listed as the top issues by 70% of respondents, respectively.
Routers and switches are mostly overlooked – The configuration and auditing of firewalls are prioritized by the majority of enterprises (96%) but not routers or switches. This exposes these gadgets to unknown risks that could be quite serious. Only 4% of organizations evaluate switches, routers, and firewalls, which Zero Trust best practices state are crucial for thwarting lateral network movement.
Mitigating Insider Threats
“What’s clear from this research is that misconfiguration risks are impacting the bottom line. Senior network professionals are prioritizing compliance and feeling confident about network security but delivering on it at scale and continuously is a major challenge,” said Phil Lewis, Chief Executive Officer (CEO) at Titania. “80% of network traffic is inside the perimeter and security best practices are evolving to reflect the fact that protecting the perimeter of each network segment is important, but it’s equally important to check device security within the perimeter to mitigate insider threats from software, people, and traffic.”
“If organizations want to minimize their attack surface effectively, they need to increase the cadence of risk assessments and remediation of all network devices,” added Mr. Lewis. “This is in line with a core tenant of Zero Trust security best practice, which is to verify, rather than trust that devices are secure, every day. To really minimize their risks and adhere to increasingly stringent compliance standards, then adopting a Zero Trust mindset will help companies develop a much more robust approach to network security.”
With headquarters in the UK and Arlington, Virginia, Titania provides cybersecurity automation software to thousands of businesses, including the largest oil and gas firms in the world, major telcos, and more than 30 U.S. federal agencies. Specializing in the accurate security and compliance risk assessment and remediation for networking devices such as firewalls, switches, and routers, Titania helps organizations defend their networks from avoidable attacks by identifying configuration drift and prioritizing the remediation of their most critical risks first.