According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick.
Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts.
Fully 79 percent of respondents said they have learned lessons from major cyber attacks and have taken appropriate action to improve security.
Sixty-seven percent now believe their CEO and board of directors provide sound cyber security leadership, up from 57 percent in 2015.
The top actions taken as a result are increased deployment of malware detection (25 percent), endpoint security (24 percent), and security analytics (16 percent).
Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 — and 82 percent believe the security industry in general is making progress against cyber attackers.
Still, 36 percent believe a cyber attacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past wo years.
And while 95 percent of organizations now have a cyber security emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff.
Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyber attack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider’s ability to protect their data.
The top ranked concerns for organizations in the next 12 months include DDoS attacks (19 percent), phishing attacks (14 percent), ransomware (13 percent), privileged account exploitation (12 percent), and perimeter breaches (12 percent).
CyberArk CMO John Worrall said in a statement that the survey findings show that cyber security awareness doesn’t always equate to being secure. “There’s a fine line between preparedness and overconfidence,” he said. “The majority of cyber attacks are a result of poor hygiene — organizations can’t lose sight of the broader security picture whilst trying to secure against the threat du jour.”
Separately, a recent survey [PDF] of more than 3,000 employees and IT practitioners in the U.S. and Europe found that just 39 percent of end users believe they take all appropriate steps to protect company data accessed and used in the course of their jobs, a significant decrease from 56 percent in 2014.
The survey, conducted by the Ponemon Institute and sponsored by Varonis Systems, also found that while 52 percent of IT pros believe that policies against misuse or unauthorized access to company data are being enforced and followed, just 35 percent of end users say their organizations strictly enforce those policies.
Similarly, while 61 percent of IT professionals view the protection of critical company information as a very high or high priority, just 38 percent of employees feel the same way.
Thirty-eight percent of IT practitioners and 48 percent of end users believe their organizations would accept more risk to the security of their corporate data in order to maintain productivity.
Just 35 percent of end users, compared to 53 percent of IT practitioners, believe the protection of company data is a top priority for their CEO and other C-level executives.
“If an organization’s leadership does not make data protection a priority, it will continue to be an uphill battle to ensure end users’ compliance with information security policies and procedures,” Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement. “Major differences between the IT function and end users about appropriate data access and usage practices make it harder to reduce security risks related to mobile devices, the cloud and document collaboration.”
A recent eSecurity Planet article examined 7 best practices for database security.