Poor security governance that fails to adequately assess and manage the full IT estate leaves IT 'blind' when major issues are uncovered, such as the Heartbleed flaw that appeared in April.
This is the view of the director of IBM Institute of Advanced Security Europe Martin Borrett, who told V3 that firms often fail to understand the scope of their security requirements.
“When I look at Heartbleed it makes me reflect how important it is to have a well thought through incident response plan – being prepared to respond to the discovery of vulnerabilities in a timely and appropriate way “ he said.
“In order to do that you need to understand your assets, systems, services and have control of them so you know the scope of a vulnerability issue and how to deal with it.”
But this is often not the case, with companies unaware of the extent of their IT estates and what needs to be fixed in the aftermath of a new vulnerability coming to light. Borrett said there are usually two main issues that cause this.
“We see a number of mergers and acquisitions within organisations so their estate grows and sometimes those estates – the ones being acquired – don’t have the level of maturity of other parts of the organisations, so I think that’s a challenge people need to address,” he said.
“The other issue is IT sprawl. As people become more reliant on distributed systems and there are more mobiles in organisations it challenges basic service management principles.”
This was a point emphasised in a recent IBM Trusteer X-Force Threat Report, which noted that the organisations most at risk from Heartbleed were those that did not have an up-to-date IT asset database.
“Organisations that had struggled to maintain a current asset database were left blind to which systems were vulnerable and which systems were critical. Even if they had an incident-response plan, they needed an up-to-date asset database in order to deploy it,” the report said.
“On the other hand, companies that had maintained their asset database and incident response plan were able to rapidly deploy patches on critical systems vulnerable to attack, thereby reducing their exposure to Heartbleed. They also face significantly less risk for threats in the future.”
As a result, the report noted that despite Heartbleed being almost six months old, IBM's Managed Security Services (MSS) division still witnesses around 7,000 attacks every day that try to use the Heartbleed flaw to penetrate firms' systems.
Summing up Borrett said that there was no quick fix to any of these issues: “You need to have constant vigilance – that’s a phrase I use a lot – and that in turn reinforces the need for good governance and the need for preparedness. I think those three qualities are vital.”
The warnings are especially noteworthy after recent research into Heartbleed found that the first attacks exploiting the issue occured less than 24 hours after it was announced, underlining the speed with which crooks rush to exploit new hacks.
To get more insights on cyber security, register for the V3 Security Summit now.
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment
Did you make the shortlist for the UK's most respected IT event?
Latest Tesla news: Tesla share price continues to fall after Saudi Arabia's sovereign wealth fund is linked to investment in rival
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3