Protect those end-points

Bit9+ Carbo Black survey shows end point systems still seen as major weakpoints, while at the same time PCI-DSS compliance failings put customer credit cards at risk 

  • 10 years ago Posted in

Bit9 + Carbon Black, which specialises in endpoint threat prevention,  detection  and response,has been working with researchers, Vanson Bourne, to conduct a cyber-security study which shows some continued weakness in the security regimes of some services, and an on-going state of fear and doubt about IT security generally.

The two key findings in the survey are that 64 percent of UK IT decision-makers said they expect their organisation to be the target of a cyber-attack within the next 12 months. Meanwhile, only 12 percent of IT organisations in the UK are completely confident that their endpoints are compliant with PCI DSS V.3.0.

The fear of cyber-attack is still high, and perhaps with some justification. They survey also showed that 32 percent of those surveyed confirm their business was hit by a cyber-attack during the past year, a figure that was compounded by the fact that many respondents admitted they were uncertain about their ability to detect a cyber-attack. Almost half of those surveyed said they did not even know if they had been compromised.

Highlighting the problem of blind spots on enterprise endpoints, 61 percent rated their ability to detect suspicious behaviour in advance of an attack as no better than average.

In organisations that use point-of-sale (POS) systems to process credit card payments, 70 percent admitted they had no way of knowing if their systems had been targeted. And only 20 percent were able to say with confidence that their POS systems had not been targeted by cyber-attack.

Among POS users, just over half were confident or very confident that their current security solution would be able to stop advanced threats or targeted attacks against their systems.

“Visibility is critical for effective security, yet these results show that far too many organisations don’t know what’s happening on their endpoints”, said Ben Johnson, chief evangelist for Bit9 + Carbon Black. “You can’t stop advanced threats and targeted attacks if you can’t see what’s happening. Prevention, detection and response are built on the ability to see all activity on every endpoint and server”.

The PSS compliance figure does indicate that may users have poor cyber-security safeguards for those systems that process credit card payments and handle customers’ personally identifiable information (PII).

While 94 percent of respondents said they have heard of PCI compliance, and 66 percent acknowledged that PCI applies to their organisations, only 21percent admitted they feel up-to-speed regarding PCI compliance requirements.

Almost half (46 percent) of respondents working in organisations with POS systems indicated that they cannot adequately monitor and control access to critical data on their endpoints (i.e., credit card data and personally identifiable information)—suggesting that endpoint systems and payment card data are largely unprotected and vulnerable to being breached.

Additionally, only one-fifth of those with POS systems could definitely say that their systems have not been targeted by cyber attacks, and almost half admitted that they have no way of being certain. Only 52 percent of POS users surveyed are confident, or very confident, that their current security system is able to stop advanced threats or targeted attacks against their POS systems.

“These results highlight a major lack of confidence and knowledge around PCI 3.0 with an urgent need for organisations to improve protection of endpoint systems and the credit card data they house, against cyber threats”, commented Christopher Strand, senior director, compliance for Bit9 + Carbon Black.

The survey, conducted by Vanson Bourne, covered 250 UK IT decision makers, working in organisations of at least 250 employees, across a spread of industries.

It also showed that only 10 percent of the IT budget is being spent on meeting new PCI 3.0 requirements (in organisations where PCI is relevant) only 12 percent of those in organisations where PCI compliance is relevant were completely confident that their organisation's retail endpoints are PCI compliant and endpoint vulnerability continues to be the biggest concern for38 percent of decision makers.

One starling fact to emerge is that, despite all the press coverage and hoopla, some 74 percent of respondents were still relying on systems running Windows XP. What is more, only 29 percent of these were expecting to deploy a new operating system in the near term, despite the fact that XP has well passed its end of life.

This then compares rather starkly with the survey result that 41 percent of respondents also see end-user machines such as laptops and desktops as being most vulnerable to cyber attack.

Looking at the source of possible cyber-attacks, 61percent saw disgruntled employees as being one of the top three most likely attackers—exceeded only by Anonymous or other hacktivists, at 86 percent and cyber criminals at 77 percent.

Responding to the findings, Strand added: “In an industry fraught with identity theft and cyber crime, it's essential that companies protect their customers’ credit card data and personal information. This can only be achieved by putting in place a positive security model that will monitor and control all servers, endpoints and critical data. Whilst the PCI regulations may seem intimidating, the results of a breach far outweigh the effort involved in ensuring your organisation is compliant.”

 

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.