natali_mis - stock.adobe.com
The most impactful cyber security incidents in the past 18 months were linked to a lack of user and device access visibility and lax endpoint, authentication and authorisation access controls, a survey shows.
At least half of all companies polled in the UK, Germany, Austria, Switzerland and the US said they had dealt with malware, unauthorised or vulnerable endpoint use, and mobile or web apps exposures, according to the 2019 State of enterprise secure access report by IDG Connect and Pulse Secure.
Nearly half of them experienced unauthorised access to data and resources due to insecure endpoints and privileged users, as well as unauthorised application access due to poor authentication or encryption controls.
The study is based on a survey of more than 300 information security decision-makers in enterprises with more than 1,000 employees across the four countries and covered key verticals, including financial services, healthcare, manufacturing and services.
When asked about potential access security control gaps experienced in the past 18 months, one in five UK respondents said mobile computing exposure represented an “impactful gap”, while in Germany, Austria and Switzerland, the same proportion of respondents cited poorly maintained directory services, poor user and device discovery and inconsistent, incomplete enforcement as the most pressing gaps in access security.
In response, respondents said their organisations were stepping up their access security initiatives, with 48% planning to improve endpoint security; 46% planning to enhance internet of things (IoT) discovery, isolation and access control; and 44% planning to improve network and cloud access visibility and resource segmentation .
Adding to management complexity, the study found that organisations use at least three or more secure access tools each, and that larger companies have about 30% more tools than smaller enterprises.
Correspondingly, nearly half of respondents were open to exploring the benefits of consolidating their security tools into suites. The UK was the most prolific user of security tools, with survey respondents recording 4.9 virtual private network (VPN) tools and 4.3 next-generation firewall (NGFW) and mobile security tools, equating to an increase of over 25% compared with other countries.
With the rapid migration to cloud, 52% of respondents from the UK and other European countries said a project or pilot of a zero-trust approach to security using software-defined perimeter technology was planned over the next 18 months.
Read more about the zero-trust approach to security
- Traditional corporate security models date back to a time when there were fewer, lower-level threats, but a zero trust model is better suited to the 21st century, according to the originator of the idea, John Kindervag.
- The zero-trust security model is more than just products and network segmentation, it’s an architectural design principle with identity at its core that needs to be applied enterprise-wide, says KuppingerCole.
- The zero-trust model of security is finally gaining traction as security professionals tap into new tools and executive buy-in to support this approach in an effort to improve security posture and practice.
- UK senior decision-makers believe younger workers are the biggest risk to cyber security, but are doing little to support them and reduce that risk, a report reveals.
Essentially, a zero-trust approach is about applying authentication and authorisation to ensure that all traffic within an enterprise is properly authenticated and authorised, whether it is someone coming in from the outside on a VPN connection, an application talking to another application on the network, or a user trying to use an application on the network.
“The data from the survey shows many similarities between the various countries in terms of the gaps and threats that large enterprises need to deal with with respect to secure access,” said Scott Gordon, chief marketing officer at Pulse Secure.
“Perhaps the most significant difference in secure access priorities was more focus on improving endpoint security and remediation prior to access in the US (57%) compared with 43% in the UK and just 31% in German, Austria and Switzerland. This trend also matches higher IoT adoption in the US, although Europe is catching up fast.”
A key takeaway from this report, said Gordon, is that large organisations across Europe are dealing with an increasingly hybrid IT environment. “As a result, they should reassess their secure access priorities, capabilities and technology as part of their zero-trust strategy,” he said.
In a recent Computer Weekly interview, the originator of the zero-trust concept, John Kindervag, said traditional corporate networks typically give too many people too much access for no particular purpose.
“A zero-trust approach is important as a strategic security initiative and general best practice,” said Kindervag, adding that abuse of trust is at the heart of many of the data breaches making news headlines on an almost daily basis.