Dutch organisations naive about digital vulnerability – Security Awareness survey by Solvinity reveals 80% do not install all patches and updates
88% of Dutch IT managers say they have the security of their organisation under control, while 70% believe they are perfectly capable themselves of providing protection against cybercrime. In spite of this, 80% do not install all available patches and updates. Less than half take specific measures to reduce their own vulnerability. Research by Solvinity shows a huge gulf between the perception and the reality of organisations’ own digital security.
At the end of July 2020, Secure Managed IT Service Provider Solvinity commissioned PanelWizard to conduct research into the perception that Dutch IT employees have of their organisations’ digital resilience. It was conducted among over 500 IT employees, mainly management, at Dutch companies with 200 or more employees. The survey follows a wave of security incidents, from shutting down home servers due to unresolved vulnerabilities, to large-scale ransomware attacks and an explosive rise in cybercrime numbers, which have this year exceeded the number of domestic burglaries for the first time.
Patches & Updates
Only 49% of respondents stated that they install patches and updates within a few days of release by vendors. 24% need weeks to do so and 8% even months or longer. Almost 80% stated that some patches and updates are not installed at all.
When asked for the reasons, 38% stated when management fears that business could be jeopardised as a result. In the case of 13% of the organisations surveyed, end users block updates because they do not want anything to change, while 16% stated that the IT department has insufficient capacity to deal with patches and updates.
In other cases, the IT used impedes security. 24% stated that certain vendors do not allow third-party software to be updated beyond a certain version. Support is no longer provided if they do so anyway. A total of 15% stated that certain hardware is not compatible with higher software versions and 9% stated that their licences do not allow them to update certain software further.
Shadow IT & mitigation
In total, 18% of the respondents rule out using software, hardware or services within the organisation which they know is not secure. But the basis for that certainty is unclear. By actively scanning the infrastructure, it is possible to quickly detect such ‘shadow IT’ and immediately undertake appropriate action – but only 23% of respondents do so. Fourteen percent do a clean sweep of the network from time to time at most. The remaining 63% essentially ignore the problem.
Less than half of respondents (49%) stated that they know exactly where their organisation is vulnerable and also take targeted measures to combat that vulnerability. The remaining 51% stated they are not aware of their own vulnerability or that they have not, in any case, taken any relevant targeted measures.
Marc Guardiola, CISO at Solvinity, is not surprised by the results of the survey. “A good cybersecurity policy begins with insight into your own vulnerability. However, many IT departments have to contend with high workloads and a shortage of well-trained staff. That makes it extremely difficult to realistically assess one’s own risk profile and to put the appropriate measures in place.”
The survey shows that IT outsourcing can increase organisations’ resilience. More than 40% of respondents that manage their own IT had never heard of hardening (the process by which the hardware and software settings are tested for security) prior to the survey. That percentage was only 10% among Solvinity clients and on average 15% among clients of other Managed Service Providers (MSPs).
Fifty-three percent of respondents who manage their own IT stated that the organisation adequately informs all employees about IT security. That percentage is clearly higher (63%) among Solvinity clients, but actually lower on average among clients of other MSPs (48%). “A Secure Managed IT Service Provider consciously pursues a policy aimed at security”, says Guardiola. “We employ Continuous Hardening, for instance. That is a unique way of working, whereby experienced specialists check each modification to the network in order to see whether it is implemented as securely as possible.”