IT security professionals have said for years one of the biggest vulnerabilities in organizations are systems that don’t have the latest patches.
But according to a recent survey the message still hasn’t sunk in.
Only 42 per cent of IT officials said they had a fully mature patch management process in place, says a survey conducted for managed security vendor Trustwave. Another 46 per cent described their patch management system as “partially” mature. In fact 12 per cent don’t have a patch management process in place at all.
Not only that, 21 per cent of respondents said their organization doesn’t hold regular security awareness training for all staff — considered vital to avoid people falling for phishing scams.
Of those who do awareness training, 12 per cent do it monthly, 22 per cent do it quarterly, 10 per cent do it twice a year and 35 per cent do it once a year.
Only 20 per cent encrypt sensitive data.
The survey was done over 16 months and included 476 CIOs, CTOs, IT managers and network administrators from more than 50 countries, although most were based in the United States, United Kingdom and United Arab Emirates.
Full survey results will be released next week.
“Businesses must look at security as a business-as-usual imperative,” Michael Aminzade, vice-president of Trustwave’s global compliance and risk services, said in a statement.
“Understanding their risk level is the first step. By identifying their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached.”
The results weren’t all bad: Only five per cent said senior managers in their organizations don’t take an active role in IT security matters, and only eight per cent said their middle managers aren’t active on security.
Still, 23 per cent of the IT people say they never hold security planning meetings, and of those who have incident response plans 21 per cent admitted they are never tested.
Trustwave recommends organizations ensure their security messages for staff are simple and clear, that there be a security plan and strategy, that staff work in teams and that the organizations review security processes and policies regularly.