Even as cyber-attacks become more frequent and sophisticated, there are several steps every IT department can take to reduce the risk for their organization. The problem: Most of them fail to take those precautions.
That’s the message from a recent report published by security vendor Venafi and security research firm Echelon One.
The researchers developed a list of 12 security best practices, and evaluated 420 organizations to see how their security programs stacked up. Here is their list of best practices, and how the evaluated firms did in the assessment:
1. Perform quarterly security and compliance training – 77% of firms failed to do so
Since many security breaches can be wholly or partially blamed on human error, training for both IT staff and users with access to sensitive information is critical. However, most organizations lack the time and resources to conduct training regularly.
2. Encrypt all data in the cloud – 64% failure rate
Most cloud applications don’t encrypt by default, leaving organizations’ data vulnerable. The report recommends businesses use third-party applications that encrypt cloud data both in motion and at rest.
3. Rotate encryption keys every 12 months – 82% failure rate
Keeping the same keys for too long increases the risk that former employees will have unfettered access to the network long after they leave the company. It’s a good idea to change keys after an applicable employee leaves, but there may also be ex-employees that have keys without management being aware of it.
4. Separate duties for access to encryption keys – 31% failure rate
One security risk organizations may face is being held hostage by a rogue IT staffer. A key way to combat that is to separate duties to make sure there isn’t just one person who knows the encryption keys.
5. Conduct vulnerability assessments once per quarter – 31% failure rate
Security risks are constantly changing, so organizations must frequently assess and test their networks to determine their current risks. Researchers also recommend conducting a larger assessment of all security programs once a year.
First step: Know the risks
Across the board, one problem many organizations face is a lack of knowledge among IT management about what security practices their departments are following. For example, when asked if their organization encrypts data when it’s in a public cloud, 40% of survey respondents said they didn’t know. Another 41% weren’t aware how often encryption keys were being rotated.
IT departments must have greater oversight over security practices and come up with standardized policies and procedures — the first step in improving security is knowing what controls are currently in place and assessing how well they’re working.
To read the full report and take a self-assessment, visit Venafi’s website here.