We ran an online cyber security stress test during the first half of 2016 to get an overview of the security status of organizations, and to give tools to these organizations to evaluate their own maturity when it comes to cyber security.
In this report, I’ll take a closer look at the endpoint protection aspect of cyber security.
The first observation to catch my attention is that only about half of the organizations that took part in the survey (almost 600 in total from all over the world) audit their cyber security on a regular basis, or keep it on the management team’s agenda.
This is a bit worrying, as the threat landscape keeps on getting more and more complex, and the tools used to target specific victims in the past are becoming commonplace and are utilized on the mass market based on opportunity. Senior leaders are essential in making cyber security a priority that actually gets the necessary attention and resources to protect company assets.
Maybe the previous is based on the fact that three out of five organizations have yet to encounter a serious malware incident that would keep their systems out of use for extended periods.
Organizations take care of the basic elements of endpoint protection rather well: about 75% of them have cloud-connected endpoint protection in place to keep their endpoint protection up to date at all times. And about two thirds state that they have a centralized software delivery mechanism to update patches for endpoint software.
What organizations have yet to implement on a broader scale is a Bring Your Own Device (BYOD) policy, and protection for BYOD devices. Only about half of the respondents say that they have a BYOD policy that is communicated to their employees. And less than two out of three use endpoint protection that covers BYOD devices as well.
This clearly opens up their network to attacks – unprotected BYOD devices can easily be the way into the inner network, since work is no longer only limited to the office space or the company computer. Therefore, organizations need to address the specific security issues of BYOD before implementing a BYOD policy.
Also remember that extensive endpoint protection is only the start. You need a holistic approach to cyber security that covers all the aspects of protection, detection, response, and prediction. After all:
There are 2 types of companies: those that have been breached, and those who do not know it yet.
Jens Thonke, Executive VP Cyber Security Services, F-Secure