Recent research reveals that organizations have received alarmingly low scores in important sectors of cybersecurity.
"The stats are well known about the increasing volume of cyber attacks and the growing number of vulnerabilities. In the face of such an onslaught, you would expect organizations to be upping their game. But the opposite appears to be the case, according to research by Computer Economics, a division of Avasant Research.
Based on its IT Management Best practices 2020-2021 report, five IT security and risk management practices scored low in maturity. While other areas of IT scored higher in maturity, areas such as encryption, incident management, authentication, penetration testing, and security audit compliance all showed levels below 50%.
Remote work exacerbates security challenge
The massive increase in remote work because of the COVID-19 pandemic is making matters worse.
"Cyberattacks have surged at least 85% since March," said Tom Dunlap, director of Avasant Research. "Data theft and ransomware are on the rise, aimed increasingly at the work-from-home crowd. Because of this new reality, it is shocking what our best practices survey revealed this year: Many security best practices are not applied consistently."
These results don’t mean that encryption, authentication, and these other areas are absent in organizations. But a large percentage of respondents admitted that they don’t practice these disciplines and technologies in a formal and consistent manner.
Encryption's maturity rating of 46%, for example, makes it clear that 54% lack the proper processes to be thorough enough about encrypting their data. Perhaps they encrypt some but not all sensitive data. Or they encrypt data at rest but not while it is moving. Whatever is the case, these organizations are unnecessarily at risk.
Similarly, security incident management scored only 44% in maturity, two-factor authentication was at 43%, penetration testing at 42%, and IT security compliance audits at 41%. This suggests that cybersecurity technology is running too far ahead of the ability of organizations to formalize these technologies within an organizational framework that effectively implements them."