Security: Bosses fall for phishing the most

27 January 2023
| No comments
Security: Bosses fall for phishing the most

Share post

While decision-makers and bosses expect employees to have a high level of cyber security awareness, they most often fall for phishing, use bad passwords or share them outside of the company. An interesting Ivanti study. 

The security provider Ivanti has published the results of the international study "State of Security Preparedness 2023". Accordingly, German companies are only partially able to effectively fend off attacks. There are major gaps, especially in the areas of patch management and protection against attacks via the supply chain. For the study, Ivanti surveyed 6.500 employees from three functional levels worldwide, 1.050 of them from Germany.

Decision-makers doubt their own security concept

Many German decision-makers have considerable doubts about their security concepts. One in ten managers is convinced that their company cannot prevent or stop a serious security incident within the next 12 months. This means that the concerns of German company leaders are higher than in any other country.

These doubts also affect company finances: 9 out of 10 companies have already built up reserves for ransomware payments and costs in the event of an attack. In this respect too, German decision-makers are the undisputed leaders of the countries considered. Almost half of the annual cyber budget (49%) goes into such reserves, the rest goes into security tools and teams (43%) and cyber insurance (6%).

Cyber ​​awareness in the executive floor? none

🔎 Does the cybersecurity team have the ability to patch vulnerabilities by priority? (Image: Ivanti).

Interestingly, it is above all the C decision-makers themselves who lack the necessary amount of cyber awareness. Compared to their office workers, they are about three times more likely to fall victim to phishing attacks:

  • 2/3 were attacked by phishing in the past year
  • 1/3 clicked on scam and phishing emails or made payments
  • 37% have shared a work password with someone outside of the company
  • 71% use passwords that are more than a year old
  • 1/3 uses the same password for different accesses or devices

Against this background, a statement by the management level about the reasons for the lack of cyber excellence in their own company is rather irritating. For more than 1/3 of them (38%), too much reliance on their own workforce plays a central role. 1/3 of the C level also complains that the safety training for employees is inefficient or incomplete.

Problem child patch management

Overall, the Ivanti study makes it clear that German companies are doing a lot to protect themselves against cyber attacks, but the majority of companies are still struggling with a reactive checklist mentality. This is most evident in the processes of the security teams themselves, especially in vulnerability management. Today it is important to close those security gaps that pose an actual risk for the individual company.

But instead of prioritizing vulnerabilities based on risk, German security teams still try to work off as many vulnerabilities as possible. To clarify, while 9 out of 10 security professionals say they have a method for prioritization, they also confirm that all types of vulnerabilities are equally important to them. In the end, they waste valuable time that cyber attackers take advantage of.

There is no IT security without patch management

🔎 How are vulnerability patches prioritized? (Image: Ivanti).

"Patching remains a core task of IT security," explains Dr. Srinivas Mukkamala, Chief Product Officer at Ivanti. “But even IT and security teams that are well staffed and financially well-resourced still have problems setting the necessary priorities. Corporate security is no longer conceivable today without risk-based patch management. It's about identifying, prioritizing, and fixing vulnerabilities without manual intervention.”

On the way to risk-based patch management, German security teams are already a welcome step ahead of the international average. 48% of IT security teams in Germany are already focusing on attack vectors that are actively being exploited rather than the latest vulnerabilities. Globally, the average is just 31%.

Company data are open

Asked about the top attack vectors of the last 2 years, phishing ranked first among security teams by a wide margin (1%). More than half of the security specialists had already had experience with it in the past. Ransomware attacks (51%) or threats to the sales and value chain (22%) follow at a considerable distance. This is significant insofar as attacks on the supply chain in particular have increased significantly worldwide in the past year.

After all: 41% of the security specialists from Germany know that former employees as well as external contractors still have access to systems or data. When it comes to protection against data exfiltration via supply chain attacks, German companies are still quite well positioned compared to other countries. More than half of all IT and security teams (51%) are able to revoke permissions from a third party, consultant or contractor after a service has ended. However, for 37% this already takes 2 to 5 days, which is clearly too long given the narrow time window of an attack via a distribution or value chain.

Country comparison: Germany is doing well

In a country comparison, German security departments are still in a good position, but are struggling with the omissions of the past. They do not have comprehensive insight into all the tools and systems used in the company. They also lack clear methods to measure the effectiveness of their cyber programs. Here, their security processes must improve and grow beyond a reactive security approach.

More at Ivanti.com

 

About Ivanti

The strength of unified IT. Ivanti connects IT with security operations in the company in order to better control and secure the digital workplace. We identify IT assets on PCs, mobile devices, virtualized infrastructures or in the data center - regardless of whether they are hidden on-premise or in the cloud. Ivanti improves the provision of IT services and reduces risks in the company on the basis of specialist knowledge and automated processes. By using modern technologies in the warehouse and across the entire supply chain, Ivanti helps companies improve their ability to deliver - without changing the backend systems.

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

PR News
, , , , , ,