Only 80% of the organisations surveyed by a recent have a patch management policy in place. This is equal to the result from the same 2016 survey, which suggests that the massive WannaCry and NotPetya malware attacks have had a limited impact on the implementation of endpoint security.
A quarter (24%) of respondents complete necessary security updates in less than a week, but almost half (49%) take more than two weeks, and 20% take more than a month to complete updates.
It is important to note as well that, last year, two thirds of respondents said patch management took them more than 8 hours a week, so it is clearly a time consuming process for most organisations. However, the importance of updates is critical to the successful prevention of data breaches, and must not be skirted over.
>See also: Time is money – efficiently securing your company’s endpoints
The most commonly used tools to minimise IT risk are those that remove administrator privileges for users (45%), followed closely by whitelisting (32%) and blacklisting (32%).
In 36% of companies surveyed, users aren’t given any administrator rights, and 39% of companies have implemented tools or policies for managing administrator rights. Tools that provide Just In Time (JIT) administration (14%) and Just Enough Administration (JEA) (5%) are far less common.
JIT and JEA are essential to IT security because they provide users with privileges they need without giving them privileges that could threaten the company’s security, thereby providing a balance between efficiency and risk. Companies seem to have understood this to an extent: only a minority (13%) now give administrator rights to all users – a sharp drop from last year (55%).
>See also: Controlling endpoints to secure SMEs against increasing threats
Only one-third of businesses have full visibility into their IT environment (physical, virtual, online, offline, etc.). And while almost half (46%) have partial visibility, 18% have no visibility or reporting capabilities at all. In comparison, just over half of respondents felt that they had sufficient visibility into their IT environment in 2016.
Simon Townsend, chief technologist at Ivanti, said: “This study suggests that while organisations may have taken certain strides towards increased endpoint security in the wake of 2017’s devastating attacks, patching quickly and comprehensively, and demonstrating compliance with company policies, is still not a priority for many companies. However, we can see that awareness of the importance of IT security has increased, and I have high hopes that this will translate into the implementation of better policies and more robust solutions next year.”