A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how.
The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known.
Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.
But not all companies apply patches, the survey revealed. Around 26% of respondents said their company ignored a critical security flaw because they didn’t have time to fix it.
But even more mindboggling is that 16% of organizations said they've also ignored a critical security flaw because they didn’t have the skills to patch it.
Some respondents appear to be aware of the fact that their systems are vulnerable to attacks, with 71% admitting that they would be able to hack their own company, while only 9% said this would be "very unlikely."
Asked how they would do this, 34% said they'd use social engineering (phishing and other methods), 23% said they would target an insecure web application, 21% said they'd try to compromise a cloud service account, and 21% said they'd target an employee's mobile device (smartphone or laptop).
The proportions of these numbers are nearly identical to how respondents also viewed their company's least secure point, with 25% fingering their cloud infrastructure, 23% their IoT devices, 20% their mobile devices, and 15% their firm's web applications.
These admissions to some pretty abysmal failings when it comes to overall company best security practices is also why the answer to one particular question was not big surprise.
When asked if their company ever hired a penetration tester, only 17% said yes, while 35% said that even if they were to hire penetration testing services they were sure the pen-testers wouldn’t expose any new risks or flaws.
The sheer ignorance of such statement somewhat explains why some respondents admitted to not having time to apply security patches or the know-how to do so. Good thing the survey was anonymized. Everyone would just love to know what companies don't have the time for security these days.
The survey's full answers, broken down in simple pie charts, are available in a PDF document via the website of Outpost24, a cyber-security firm based in Sweden.