Report: Most companies fail at keeping track of patches, sensitive data

The majority of businesses don't have a solid system for tracking sensitive data, or a mature patch management process, according to new survey of IT professionals released by Trustwave.

In 19 percent of companies there was no control or tracking of sensitive data at all, said respondents to the 2014 State of Risk survey, which was conducted by a third-party on behalf of the Chicago-based security firm. And 63 percent said their process for managing this data was not fully mature.

"That is a very scary statistic," said Phil Smith, Trustwave's SVP for government solutions and special investigations.

"If you don't know where your data is -- your sensitive data, your critical data, data that you use to operate your business -- then how can you protect it?"

The data on patch management was almost as bad.

Some 12 percent of companies have no patch management process in place at all, and the process is not fully mature at 58 percent of companies.

What this means is that patching is done on an inconsistent or ad-hoc matter.

"This should be done on a regular and routine basis," Smith said. "And it's not happening."

As a result, critical patches can slip through the cracks, leaving the company open to external or internal threats.

"Over and over again we see that that's how hackers are getting a foothold into a network," he said. "This is low-hanging fruit. That's what we see as exploitations occur from known vulnerabilities that can be easily fixed through patching."

The report was based on answers from people well-placed to know how well their companies were doing -- nearly 500 technology managers, network or system administrators, CIOs, and CTOs from the United States and fifty other countries.

In other results, 50 percent of businesses run vulnerability scans on internal systems less than once per quarter, and 60 percent run them less than once per quarter on critical systems hosted with third parties. Meanwhile, 18 percent never run penetration tests at all.

What was surprising to Smith was the level of involvement by senior executives in corporate security issues. At 9 percent of companies, there was no involvement at all, and at 45 percent there was board or senior management involvement only to a limited degree.

"We've seen an uptick over the years, with more board management being involved, but we're not there yet," Smith said. "The boards and executive teams need to be engaged."

One suggestion he offered is for companies to hold incident response readiness exercises that involve a broad range of company functions.

According to the report, 36 percent of companies test their incident response procedures annually, 18 percent test them twice a year, and 25 percent do it quarterly.

That allows companies to ensure that people know what they're expected to do in case of a crisis, and identifies problems early.

"If you can do it through an exercise, then it's only an awkward situation and something they can address when its not so critical," Smith said. "When we get executives, lawyers, and IT professionals together, the dialogue that starts to happen is very interesting."

For example, the first time a company runs one of these tests, he said, what usually happens is that the IT participants are constantly called away from their work responding to the problem in order to update the other executives on what's going on.

"There's nothing like pain to get people's attention," he added.

However, 21 percent of companies never do this kind of testing at all.

Join the CSO newsletter!

Error: Please check your email address.

Tags disaster recoveryapplicationstrustwavesoftware

More about Trustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts