Why IT departments miss basic IT security hygiene

A survey of 300 IT operations and 300 IT security professionals has found a big gap in perception over who takes responsibility for patching IT systems.

In the survey, conducted by Vanson Bourne for consulting firm 1E, three-quarters (75%) of the IT professionals agreed that the IT operations team in their organisation has a “keep-the-lights-on” mentality, focusing on availability over security.

Almost two-thirds (62%) believe the IT security team knows how to make the organisation more secure, but IT operations make it more difficult to secure the business.

The security landscape is constantly changing, but in a panel discussion tying in with the Getting your house in order report from 1E based on the survey’s findings, there was a sense that many IT departments are failing to get the basics right.

Forrester senior analyst Paul McKay said: “There was a period of time when every attack was very sophisticated, but most attacks are very basic, such as when people click on email. That’s where most of the attacks come from. These are hygiene issues.”

Talal Tajab, who heads up TechUK’s cyber and national security programmes, cited the recent Department for Culture, Media and Sport (DCMS) Cyber security breaches survey 2019 report to illustrate that little, if any, progress has been made in improving IT security across UK businesses. “We are seeing the same level of basic mistakes still happening,” he said.

The panellists agreed with the survey’s findings that there was a gap between the role of IT operations and the role of IT security.

In the report, Jason Sandys whose job title is Microsoft “most valuable professional”, said: “There’s a lack of cohesion, and a disparity in objectives. IT security thinks it’s seen as the enemy – the blocker to productivity. IT operations will push ahead with a project, but it’ll be inhibited by the IT security team, which naturally has to be cautious. It scuppers collaboration.”

Spencer Summons,  an independent CISO who works at an upstream gas company, said: “What I’m seeing on the ground, particularly in terms of IT operations and IT security, is that there is a conflict due to [the two teams having] different objectives.”

In his experience, this leads to heated conversations between the two teams, poor communications and a lack of integration across the work they share. Sometimes, he said, “IT security is only brought in at the end of a project, which makes it more difficult and costly to retrofit security”.

When there is a data breach, IT security then becomes flavour of the month, said Summons. His own experiences mirror research from analyst Forrester, which found that companies that spent 30% of their IT budgets on IT security were the ones that had experienced a recent data breach.

Summons argued that tacking a tactical approach to IT is flawed. “Not understanding threats drives a tactical way to approach IT security,” he said.

Instead, he urged organisations to have visibility of what is going on across the organisation. “By creating visibility from a security perspective, we can start looking at everything across a business,” he said.

This provides a kind of business value chain, enabling the organisation to use initiatives such as General Data Protection Regulation (GDPR) compliance to drive new opportunities, he added.

The study found that despite significant cyber security investment in many areas, there has been very limited improvement with the biggest factor in organisational vulnerability – keeping endpoints properly patched and updated. While much of the security sector fixates on the latest buzzwords, threats and solutions, said 1E, the biggest gaps continue to endure right there in plain sight.

Sumir Karayi, CEO at 1E, said the Wannacry and NotPetya attacks show how easily massive vulnerabilities can be exploited to attack unpatched systems. The survey found that, on average, respondents have visibility of 64% of their organisation’s total software estate, and only 66% of this software is current. For instance, said Karayi, “a third of business are not on Windows 10, which is a four-year-old operating system”.

He warned that cyber criminals know all the vulnerabilities that are present in Windows 7 PCs. From an IT department perspective, he said, “organisations do not have control of one-third of their machines, so they can’t even see if these machines are infected by malware”.

Given the disconnect between IT operations and IT security, said Karayi, “IT security is not trusted to patch these machines”. At the same time, IT operations does not often treat patching as a high priority, he added.

“CIOs have the challenge of explaining the pivotal need for areas like patching, which can feel mundane. But without this hygiene, companies must constantly defend against new vulnerabilities or risk a major breach.”