Click to download the report, including a 10-point action plan from Michael Daniel, former Special Assistant to President Obama on cybersecurity Download action plan/full report Get in Touch

Getting Your House in Order

Why businesses are leaving doors open to security breaches and what must be done to close them

Scroll down to learn more

Foreword

Sumir Karayi, CEO, 1E

Sumir Karayi

Given the severe damage caused by the NotPetya and WannaCry attacks, which impacted many businesses for months, we recently felt compelled to sponsor a large research project to determine whether the situation had improved since those devastating attacks swept through the world.

Hence this report. 1E commissioned respected research house Vanson Bourne to survey 600 senior IT decision-makers (300 from IT Operations and 300 from IT Security) across the US and UK, to get a proper picture of the cybersecurity challenge from both sides of the IT fence.

Security built on sand

Like me, you may think the findings are both interesting and disturbing. Sixty percent of organizations told us that they have suffered a serious cyber breach in the last two years. Over 30% have suffered more than one.

Yet the situation is still not under control. These events are avoidable but unless something changes soon, our data suggests we will have to brace ourselves for more major breaches in the near future.

This report highlights the causes for this, such as a lack of visibility and control across one third of endpoints, a crisis of trust between IT Security and IT Operations, and the ongoing struggle to patch software or even keep Operating Systems current.

New challenges such as the digital revolution and mobile workforce are only making the problem worse.

However, our report shows that the situation, although serious, is by no means beyond repair.

We have asked several experts for their guidance and opinion on how to improve this situation and we welcomed input from Shira Rubinoff (President and Co-founder, Prime Tech Partners), Kurt De Ruwe (CIO of Signify – formerly Philips Lighting), Jason Sandys (Microsoft MVP), Jason Keogh (ISO standard SC7/SC27 liaison) and Talal Rajab (Cyber Security Head, Tech UK).

We also asked one of the leading security experts in the world, Michael Daniel, former cybersecurity advisor to President Obama, and currently President & CEO of the Cyber Threat Alliance, to develop a 10-Point Action Plan based on the data.

I hope you enjoy reading this report as much as we enjoyed researching it. The study points to a big opportunity for every organization to become much more secure.

Click here to read the Action Plan

Section 1

The scale of the problem

Not as safe as houses

IT today is a fraught and overstretched environment: 93% of respondents tell us they are experiencing challenges. Amongst a wide range of issues, the leading ones are restrictive budgets, a lack of understanding between IT Operations and IT Security, and legacy systems.

It’s possible to trace the connection between these root problems and the prevalent uncertainty felt around the issue of cybersecurity; less than a quarter (23%) believe that they are extremely well prepared to react to a serious data breach.

The anxiety is well founded. Sixty percent of respondents have experienced a serious security breach in the last two years - 31% more than once.

Respondents identified a lack of clear security protocols (52%) and unpatched software (51%) as the principal causes of breaches, followed by a lack of IT Security/Operations collaboration (42%) and a lack of patch automation (40%). It’s easy to see how an organization’s cultural issues and technical shortcomings can enforce one another, creating heightened vulnerability.

Challenges facing the IT department

Which of the following challenges do you believe the IT department, as a whole (including IT Operations, IT security etc.), is currently experiencing in your organisation?” asked to all respondents, showing a combination of responses ranked as the first, second, and third biggest challenge (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

The concern is that it typically requires a serious wake-up call for the wider organization to act. Even then, the usual knee-jerk reaction is to buy yet another new security tool, rather than address the underlying issues. In other words, they choose to buy another fancy alarm system rather than shutting those windows and doors.

Causes of security breaches

“What do you believe are the main causes of security breaches?” asked to all respondents, showing a combination of responses ranked as the first, second, and third most likely cause of security breaches (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

Kurt De Ruwe
CIO of Signify

“Why are companies vulnerable? Because they run older versions of operating systems, and older versions of software, without patching, and without proper encryption where it’s needed.”

Michael Daniel
Former Special Assistant to President Obama and Cybersecurity Coordinator at the White House
Read Michael Daniel's 10-Point Action Plan

“Too often I see organizations expend far too much budget and resources on new and expensive tools. But the real problem isn’t always down to a lack of technology – it’s often the lack of a cohesive relationship between IT Security and IT Operations, which can result in gaping holes in the organization’s security profile.”

New ways of working

Digital transformation is a mixed blessing to our respondents, with 80% claiming that it increases cyber risk.

Dependence on software is also increasing – a clear majority (73%) told us they were more dependent on it now than they were 12 months ago.

The Dark Web has made it easier for attackers to monetize stolen data. As the value of data has increased, so has the funding and sophistication of the cyber-criminals seeking to exploit vulnerabilities in software. Breaches are becoming more frequent and more damaging.

The growth of remote working is a further key feature of digital workplaces that respondents have flagged as problematic. In fact, until organizations can find a way to effectively reach, patch, and secure those outside the office, remote working will remain a security concern for over three quarters (77%) of respondents.

This is an extremely telling figure. By and large, IT remains dependent on legacy systems developed for the office-based, LAN-style workplace of the 1990s. How can they hope to adequately patch and manage the many remotely connected endpoints out there today which are under almost constant attack?

Kurt De Ruwe
CIO of Signify

“You need to ensure that people who are not frequently on site don’t become your weakest link. Patching that is only available when you’re on the physical location, for example, is totally wrong. You really need to have a way of working that means that, for really critical activities, location doesn’t matter.”

Microsoft MVP Jason Sandys says it’s a behavioral issue. “Remote workers don’t always have a strong affiliation to the company; the natural attachment you get from being in an office isn’t necessarily there. That’s a big security concern, because the average employee isn’t focused on defending the network it’s even tougher to get on the remote workers’ agenda. Once the system is compromised, the data is compromised.

Jason Sandys
Microsoft MVP

“The challenges have been there for a long time, but now you have people sitting in coffee shops, on public Wi-Fi, working on their company laptops. This is, or should be, shifting the perspective of the security boundary.”

Factors Increasing Cyber Risk

Analysis showing the percentage of respondents who agree and disagree with the above statements. Asked to all respondents (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

Outside the office

A remote worker has decided to work from a local coffee shop for the day. The free Wi-Fi is spoofed and data sent to and from the endpoint is exposed to bad actors. The attackers gain access to credentials which allow them authorized access to the network, and they spread across the organization. While IT Security has invested in a firewall and anti-malware tools, those controls are futile because the attacker is using valid credentials to access files on company systems. Legacy approaches just don’t cut it. Businesses need new tools for endpoint protection which function regardless of location and enable real-time response to incidents.

Section 2

The IT Operations/IT Security divide

Knocking down walls

Presented with the prospect of accelerated digital transformation, IT realizes that internal collaboration is vital. However, fewer than a quarter (23%) of respondents believe that the IT Operations and IT Security teams work together extremely well to secure the business, creating a significant hole in security protocol.

“It’s political”, says Sandys. “There’s a lack of cohesion, and a disparity in objectives. IT Security thinks it’s seen as the enemy; the blocker to productivity. IT Operations will push ahead with a project, but it’ll be inhibited by the IT Security team, which naturally have to be cautious. This scuppers collaboration”.

It’s not just IT Security’s fault, however. “IT Operations should understand that the security team has different objectives, and therefore different accountability”, says De Ruwe. “It’s good for teams to challenge each other and compromise in a pragmatic way”.

Neighbors of a different nature

When considering PCs and servers, IT Security’s job is to say that there is a problem, while IT Operations’ job is to fix it. This is because in most organizations the change management process is owned by IT Operations, as they need to consider business use, impact on business processes, and how best to make the change.

However, our survey revealed a disturbing lack of trust in the dynamic between the two teams. Less than half of our IT Security respondents felt able to totally rely on IT Operations to cover security alerts (49%), security breaches (48%) or to keep software patched and up-to-date (47%). 

With relationships strained, perceptions are skewed. Three quarters (75%) of respondents agree that the IT Operations team at their organization has a “keep-the-lights-on” mentality, focusing on availability over security. What’s more, almost two thirds (62%) of respondents, feel that the IT Security team knows exactly how to make the organization more secure, while IT Operations make securing the business more difficult.

Trust in IT Operations

Analysis showing the percentage of respondents who feel that IT security can totally rely on IT Operations when it comes to the above areas. Asked to all respondents (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

Closer alignment is a must. Respondents say better communication (62%), and/or improved sharing of data (57%) between the IT Operations and IT Security teams would help. The collaboration issue has implications for technology procurement as well. Over half (54%) of respondents feel that when it comes to the tool procurement process, their organization’s IT Operations and IT Security teams only collaborate “fairly well”.

“Get the two teams working together and agreed on aims, and create a shared toolset”, says De Ruwe. “When something does go wrong, don’t play the blame game. If you point a finger, there are usually three fingers pointing back. Use your collective energy to solve the problem instead.”

Sixty-two percent of respondents feel that the IT Security team knows exactly how to make the organization more secure, but IT Operations make this action more difficult.

1E survey data

Michael Daniel
Former Special Assistant to President Obama and Cybersecurity Coordinator at the White House


Read Michael Daniel's 10-Point Action Plan

“We often see IT Operations and IT Security using different tools that don’t integrate, and therefore they don’t agree on what constitutes a threat or how assets are categorized and prioritized. By removing siloed and duplicate tools, you can achieve transparency, operational efficiency and cost effectiveness. This provides a single source of truth that can guide your operational and security strategy.”

IT Operations/IT Security
A way to go but a will to get there

Analysis showing the percentage of respondents who believe that the IT Operations and IT Security teams in their organization do the above tasks extremely well – they are very good at them. Asked to all respondents (600)

Analysis showing the percentage of respondents who believe that their organization would benefit from better IT Operations and IT Security collaboration. Asked to all respondents (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

Friends and Neighbors

The bottom line is that nearly all (97%) respondents believe that their organization would see benefits from better IT Operations and IT Security collaboration. Perceived benefits include:

  • Six in ten (59%) predict faster reaction times to security breaches as a benefit of better collaboration
  • Nearly half (48%) expect a better understanding of the tools required to be more successful
  • Almost two thirds (62%) foresee increased efficiency

Section 3

The software arms race

Power tools

Vulnerabilities and exploits are regularly made public. Once an exploit is discovered, even a tech-savvy 14-year-old can sit in their bedroom, find this information and stitch malware together to create chaos.

Most vulnerabilities targeted in attacks already have patches available. The success of exploits such as NotPetya and WannaCry, however, point to the continuing need for organizations to take more responsibility for their own defense, and ensure that all such updates are properly deployed. This is evident in our data. Respondents say that just 66% of their organizations’ software estate is current, meaning 34% of endpoints remain open to exactly these types of breaches.

Just 66% of organizations’ software estate is current

1E survey data

Visibility and control

It is not fair to lay the blame on any one team, when there are fundamental issues with the tools these teams must rely on.

Our respondents reported a significant lack of endpoint visibility and control capabilities. On average, they feel that they only have visibility of 64% of their organization’s total software estate. That leaves a huge literal blind spot of 36%. As for endpoint control, the figure stands at 58%. How do you protect what you cannot control or even see?

Kurt De Ruwe
CIO of Signify

“Live information is really important because viruses and phishing attacks happen from moment to moment so you need to be able to react quickly. There was a time when you could afford to wait a week or two before you had the information. Today, real-time information makes all the difference."

The Endpoint Visibility Blind Spot

Analysis showing the average percentage of endpoints on respondents’ organizations’ networks that respondents have visibility of. Asked to all respondents, split by respondent focus (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

Risk, opportunity & Windows 10

The way in which operational limitations can lead to structural vulnerabilities is particularly evident around Windows 10. Respondents report that on average their organization has migrated only 68% of their machines to Windows 10, leaving some way to go until the process is complete.

This is worryingly low. Windows 10 has been available for three years – during which time criminals have largely been free to exploit vulnerabilities common in older Windows operating systems. The improved security functions in Windows 10 are one of the reasons eight in 10 (83%) say security is a motivating factor for their organizations’ migration to Windows 10. In addition, over half (58%) feel that a failure to meet the Windows 7 support cut-off on January 14th 2020 poses a significant security risk (as well as increased license costs), which may be why a similar number (56%) are worried that their migration isn’t happening quickly enough.

Particularly concerning for these organizations is the natural tendency to leave the most difficult migrations to last. Over 6 in 10 (62%) identify the migration of remote workers to the latest version of Windows as a challenge.

Nearly half (45%) of those surveyed believe that greater automation capabilities for deploying patches and responding to vulnerabilities would help improve the reliability of the IT Operations team.

1E survey data

Kurt De Ruwe
CIO of Signify

“We fully standardize on the Windows 10 environment, but we always make sure we are up-to-date with all the latest releases. Every single security patch – users cannot refuse it – gets installed automatically as soon as it becomes available. If your infrastructure environment is not properly managed, then you can have the greatest security tools and still have a big risk. That’s our policy: to patch, patch, patch the moment something becomes available.”

Michael Daniel
Former Special Assistant to President Obama and Cybersecurity Coordinator at the White House


Read Michael Daniel's 10-Point Action Plan

“For maximum efficiency, organizations should look to remove the need for human intervention in keeping your endpoints up-to-date as much as possible. Using automation tools to deploy patches and upgrades, and timing patches when most of the workforce isn’t online (at 6AM, for example) can ensure the process works as seamlessly as possible, and it frees up IT staff to address those machines that need special attention.”

The Software Security Threat

Analysis showing the average percentage of respondents’ organizations’ software estates that is current today, and the average percentage of respondents’ organizations’ machines that have already been migrated to Windows 10. Questions asked to all respondents (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

Section 4

On Board

Taking the issues to the top floor

When it comes to budget allocation, the vast majority (90%) of respondents report that their business prioritizes other things over cybersecurity. The pressing question therefore becomes: how do we prioritize the resources that are allocated?

Our respondents believe that an increase of investment is required most in these areas: the automation of software migration (80%), breach response and remediation (67%), and/or software patching (65%).

In other words, a greater investment is called for to remedy protection through patching and automation, as well as better solutions to respond to breaches as they happen.

Cyber investment

Analysis showing the percentage of respondents who think that their organization’s investments in the above areas of cyber security needs to increase, decrease, or stay the same over the next 12 months. Asked to all respondents (600).
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

Gaps in understanding

Does the board realize that those entrusted with the pivotal responsibility of ensuring these doors and windows are shut (and hopefully locked) typically can’t even reach or see a third of the endpoints? 

Fewer than a quarter of respondents believe that their organizations’ board of directors has total awareness regarding the level of control that the IT department has over endpoints (23%), and visibility possessed by the IT department over the software estate (21%).

This lack of awareness from the board carries over into the number of software licenses in use (25%), and how up-to-date the software estate is where, again, fewer than a quarter (23%) feel that there is total awareness among the board. Among respondents from the UK, perceptions of board awareness fall even lower (13-17%).

No one expects the board to suddenly concern itself with IT minutiae, of course, but better reporting practices, along with new, more meaningful performance measurements could improve both awareness and funding.

The vast majority (90%) of respondents report that their business prioritizes other things over IT Security when it comes to budget allocation.

1E survey data

Machines migrated to Windows 10

“How many employees does your organization have in your country?” asked to all respondents (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

Michael Daniel
Former Special Assistant to President Obama and Cybersecurity Coordinator at the White House


Read Michael Daniel's 10-Point Action Plan

"Unfortunately, outcome-based cybersecurity KPIs are limited in number and the ones that exist require a lot of investment and sophistication to manage right now. As the next-best alternative, you can manage to a few key input measures—those things you can control in advance. What percentage of machines are up-to-date with patching? How many are upgraded to Windows 10? It’s entirely possible the board is unaware of the real risk because they don’t have the complete picture. Decide on some input-based metrics, track performance and adjust or add more over time."

Section 5

Conclusion

A house divided cannot stand

What’s clear is that these issues cannot continue. There is far too much on the line, particularly when more malicious, well-funded, and organized attacks are taking place.

In total, 73% of respondents said they were more dependent on software than they were three months ago. It points to an ongoing, continuous escalation of all these problems – unless we take control of the situation.

We’ve seen the lack of trust around IT Operations, the lack of visibility and control they endure, and the demand for tools that enable them to reach, patch and update endpoints more effectively.

Given the increasing prevalence of remote workers, and the difficulties in securing them, it goes without saying that these tools must be inclusive of them – that means providing remote users with self-service, and giving IT teams the ability to respond to remote worker incidents and vulnerabilities in real time. Without these capabilities, significant gaps will remain.

Of course, there are ultimately several pieces that must come together, and many of them are cultural. If one of them is ignored, the business will remain unsecure. It requires strong leadership and collaboration, but the results are worth it.

Our 10-point action plan, compiled by cybersecurity expert Michael Daniel (former Special Assistant to President Obama) uses our findings to show you can make the difference at your organization.

Section 6

10-Point Action Plan

Minimize your cyber risk
By Michael Daniel, former Special Assistant to President Obama on cybersecurity

Fill in the form to download action plan/full-report


by Michael Daniel

Former Special Assistant to President Obama and Cybersecurity Coordinator at the White House

Cybersecurity and IT Operations often seem to conflict – the security people recommend actions that admins find impossible to implement, while the operations side takes actions that security see as creating unneeded risk. However, while you can never drive your cyber risk to zero, if IT and cybersecurity operations work together, you can dramatically lower your risk profile. Here’s 10 ways to do that.

Respondent Information

300 operational IT decision makers, and 300 security IT decision makers were interviewed in February and March 2019, split in the following ways…

…respondent job role

“Which of the following most accurately describes your position in the organization?” asked to all respondents, showing operational roles in green and security roles in pink (600)

…organization size

“How many employees does your organization have in your country?” asked to all respondents (600)
Source: 1E survey of 600 UK & US IT decision makers, Feb/March 2019

About 1E

Modern users expect a mobile-like experience, with self-service and instant results. 1E enables IT to deliver comprehensive self-service and respond in real-time by augmenting Microsoft and ServiceNow solutions. Over 1000 organizations trust 1E to meet their user, business, and security needs. Your employees are important; they deserve 1E managed endpoints.

Kurt De Ruwe
CIO of Signify

“Real-time information makes all the difference. Today, 1E’s Tachyon is so embedded in how our IT Operations team functions, that if we were to take it out, there would be rebellion.”