GoSecure, a leading provider of Managed Detection and Response (MDR) services, and a predictive Endpoint Detection and Response (EDR) platform, today released a new research report, Cybersecurity Perceptions Versus Reality, which revealed a disconnect between defenders’ perceptions of how best to protect their organizations, what has been implemented, and what is needed based on what GoSecure penetration testers see in the real world.
“This report illustrates what cybersecurity professionals perceive as important to an organization’s overall security maturity,” said Neal Creighton, CEO of GoSecure. “It also highlights that the reality of what is implemented can be vastly different. The perceptions of what is important align well for defending some of the most common attack techniques used by penetration testers. Yet our pentesters continue to identify missing controls or highlight critical findings related to each survey topic.”
To distinguish perception from reality, GoSecure’s research team developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity. The survey focused on the importance of specific security measures or controls and whether they are implemented. Security measures called out in the survey include multi-factor authentication, password policies, specific security measures, patch management, products’ features enabled by default, asset inventories, and endpoint visibility. The results of the survey were then cross-referenced against findings from the GoSecure penetration testing team.
Key findings include:
- Multi-Factor Authentication is valued by security professionals, as 93% of survey respondents rated MFA as “important” or “very important.” Unfortunately, only 47% have fully implemented MFA, with 13% having zero MFA. GoSecure penetration testing identified MFA as a missing control in 36% of engagements.
- Password Policies are well established but vary in complexity. Passwords over six characters in length are supported by 56.3% of respondents, while 74.8% said that passwords need to be a mix of letters, numbers, and special characters. However, the requirement for regular password changes was mixed with 43.7% saying it is important and 43.7% disagreeing. Interestingly, 40% of respondents have not, or have only partially, implemented their perceived “ideal” password policy. And for all the talk of password policies and complexities, GoSecure penetration testers are still successful 25% of the time cracking passwords using password spraying, a fairly basic password cracking technique.
- Patch Management is rated as “important” or “very important” by 90% of respondents. The reality, though, is 52.6% of respondents say it takes weeks, months, or even years to apply patches. GoSecure penetration testing experience highlighted that while Microsoft Windows patching was generally well managed owing to the abundance of free tools, this is not the case for the rest of line-of-business applications. Crucial applications, such as Java, Flash, or non-Microsoft browsers, are usually less well maintained and account for many vulnerabilities.
Overall, the report’s outcomes concluded that although there are concerted efforts in the industry to protect systems, significant security gaps continue to exist. In addition to highlighting the disconnects, the report includes actionable insights and pro tips from GoSecure pentesters to remedy the security gaps uncovered in the research.
“Cybersecurity teams are under constant pressure, and, as this report illustrates, sometimes the simplest changes are missed.” Creighton continued, “As a member of the cybersecurity community, we are proud to offer this insight along with actionable recommendations. Every small step incrementally increases an organization’s security maturity, which, ultimately, is required to stay ahead of today’s attackers.”