40% of senior cybersecurity decision makers effectively prioritize risks to Payment Card Industry Data Security Standard (PCI DSS) 4.0 compliance, according to Titania.
The study highlights that oil and gas, telecommunications, and banking and financial services organizations are prime targets for threat actors that exploit vulnerable network device configurations to scale their attacks. It also reveals only 37% could ‘very effectively’ categorize and prioritize compliance risks that undermine the security of their networks.
Network misconfigurations go undetected in most organizations
96% of organizations reported not analyzing switches and routers when checking for misconfigurations and that checks are typically performed annually. However, most agreed that continuous (daily) risk assessment of every firewall, router, and switch is the most robust strategy to secure networks and maintain compliance.
80% also agreed that their organization relies on compliance to deliver security. Specifically, all banking and financial services sector respondents are confident that they are meeting their corporate security and external compliance requirements, compared to most oil and gas (98%) and telco respondents (96%).
This data demonstrates a disconnect between the perception of network security and compliance, and the reality.
“Complex networks, large customer bases, and long supply chains make these industries highly susceptible to attacks. The study reveals that given the current organizational approaches to network security, companies cannot be continuously compliant, and as a result carry with them unquantified levels of risk to the confidentiality, integrity, and availability of systems and data.” said Phil Lewis, CEO, Titania.
“A determined attacker will try a combination of approaches to access a network until they gain entry, and known vulnerabilities or misconfigurations are an easy way in. Companies must adopt both a zero trust mindset and network security best practices, to minimise the attack surface, inhibit lateral movement, and prevent intruders from meeting their goals,” continued Lewis.
Challenges in meeting security and compliance requirements
The research, which asked how organizations currently detect and mitigate vulnerabilities in the specified part of the network and how confident they are that devices maintain a secure configuration at all times, also revealed:
- 100% of respondents reported effective categorization and prioritization of compliance risks with their network security tools
- 74% of oil and gas, 67% of telcos, and 67% of banking and financial services respondents listed inability to prioritize remediation based on risk as a top challenge in meeting security and compliance requirements
- Increased budgets have little to no impact on the volume of critical misconfigurations detected on networks, with just 3.4% of IT budgets allocated to identifying and remediating misconfigurations
- 45% reported response and resolution of critical network configuration security risks within 1-3 days
- Banking and financial services reported the most frequent checks among Commercial CNI respondents, with 62% in the bi-weekly to once every six months category
- The oil and gas sector reported the highest misconfigurations detected in the previous 12 months
- Telecommunications is the only sector without 100% automation of configuration security reporting
Organizations struggle to meet PCI DSS requirements
The PCI Security Standards Council recently released the most significant changes to its standard since 2004, promoting effective network segmentation, security as a continuous process, and enhanced validation of compliance to address the increases in risks that commercial enterprises need to mitigate.
According to Verizon’s report, PCI DSS 4.0 Requirement 11, which requires organizations to ‘regularly test security systems and processes’ has been the worst-performing individual requirement for sustainable compliance for the last 10 years running. Just 60% of organizations are able to demonstrate that they fully meet this requirement.
This is consistent with the findings of the research study, which also indicates that ‘inaccurate automation’ and an ‘inability to prioritize remediation based on risk’ are the main challenges with meeting corporate security and external compliance requirements for nearly half of all organizations.