UK: Study Shows Enterprise Endpoints Vulnerable to Attack

Key findings of a survey of 250 IT decision makers across the UK’s private and public sector enterprises to assess levels of security awareness, confidence and readiness

Companies today face a daunting challenge – needing to fend off attacks from cyber thieves, hacktivists and even disgruntled employees.  Endpoint devices, especially across retail, financial services and hospitality point-of-sale (POS) applications, have become sitting targets, with enterprises surprisingly unprepared to deal with these advanced security threats.

These vulnerabilities highlight the importance of being able to see and immediately stop advanced threats that target an organisation’s counter and office-based endpoint devices.  In a bid to assess the security stance of UK enterprises, we surveyed 250 IT decision makers across the UK’s private and public sector enterprises to assess levels of awareness, confidence and readiness in three main areas: being prepared for cyber attack, attitudes toward and compliance with the PCI Data Security Standard (DSS), particularly version 3.0, and prevalence of Windows XP as the OS approached its end of life.

The key findings were very concerning and highlighted a number of blind spots across enterprise endpoints.

Enterprises are uncertain about vulnerability to cyber attack

Many organisations were uncertain about their ability to detect a cyber attack as almost half of those surveyed (49%) did not know if they’d been compromised within the last year, whilst 61% of respondents rated their ability to detect suspicious endpoint activity, in advance, as no better than average.  This was in spite of the fact that end-user machines (i.e., desktops and laptops) were seen as the most vulnerable to cyber threats (41%).

The other half of respondents were more sure of their position, with one in five saying they had definitely not suffered an attack and almost a third of companies (32%) saying they definitely had been targeted by a cyber attack during the past 12 months.

Organisations may be uncertain about previous attacks, but they are more sure of future danger with almost two thirds (64%) expecting to be targeted within the next year.

[image_library_tag b20ab898-f5f2-4b14-85f1-04d8991501ae 640x849 alt="11" title="11" width="640" height="849"class="center "]

Organisations failing to manage or monitor POS activity

Almost half (46%) of respondents working in organisations with POS systems indicated that they cannot adequately monitor and control access to critical data on their retail endpoints, such as credit card numbers and customers’ personally identifiable information.  Severe consequences are likely with only half (52%) of enterprises feeling confident or very confident they could stop an attack on their organisation if launched through POS terminals.  Uncertainty continues as a theme for seven in every ten respondents who reported they had no way of knowing whether they’d been attacked or not – a significant failing when you realise that some of the biggest cyber attacks in history have stemmed from compromised POS systems.

Security standards compliance found to be poor

Only one in eight companies for which the Payment Card Industry Data Security Standard (PCI DSS) was relevant felt confident that their endpoints were PCI compliant – highlighting a lack of confidence in the security of retail endpoints, and a worrying outlook for those organisations needing to meet the requirements of PCI DSS v.3.0 by January 2015.  Thankfully though, awareness of PCI is high with almost all respondents (94%), even though only 21% felt up-to-speed with its requirements.  However, only 10% of the IT budget is being spent on meeting new PCI 3.0 requirements (in organisations where PCI is relevant) resulting in many companies being more vulnerable to data breach.

[image_library_tag 92c2403d-29f2-4f6e-851d-6f70d1223799 640x951 alt="11" title="11" width="640" height="951"class="center "]

Migration away from Windows XP is slow

Almost three quarters (74%) of respondents still had systems running on Windows XP, even though the OS has now reached end of life and no longer receives security updates, unless users pay for premium service. Only 29% of these had plans to deploy a new operating system in the near term - highlighting the increased vulnerability of these systems to cyber attack.

Visibility is critical for effective security

These survey results show that far too many organisations don’t know what’s happening on their endpoints.  You can’t stop advanced threats and targeted attacks if you can’t see them.  Prevention, detection and response require the ability to see all activity - on every endpoint and server.  Businesses must implement processes and protection to address an endemic complacency toward security and avoid potentially devastating breaches.


Ben Johnson is Chief Evangelist for Bit9 + Carbon Black