New data also suggests that organisations are sweating assets and refreshing devices of higher risks
Over 73% of corporate network devices analysed by Dimension Data during 2010 were carrying at least one known security vulnerability. This is almost double the 38% recorded in 2009. The data also revealed that a single higher risk vulnerability – PSIRT 109444* – which was identified by Cisco in September 2009, was found in a staggering 66% of all devices, and was responsible for this jump. If PSIRT 109444 was taken out of the equation, the next four vulnerabilities were found in less than 20% of all devices; suggesting that organisations are trying to improve in terms of remediation.
These are some of the key findings in the Network Barometer Report 2011 published today by the global specialist IT services and solutions provider. The Report covers aggregate data compiled from 270 Technology Lifecycle Management (TLM) Assessments conducted in 2010 worldwide by the Group for organisations of all sizes across all industry sectors. It reviews the networks’ readiness to support business by evaluating the configuration variance from best practices, potential security vulnerabilities, and end-of-life status of those network devices.
“Despite the pressure from regulatory bodies, consumers and their executives to protect customer information and privacy, as well as sensitive business information from both cyber criminals and competitors, many organisations still do not have consistent and complete visibility of their technology estates”, says Matthew Gyde, General Manager for Network Integration, Dimension Data Asia Pacific. “In fact, previous research not related to the Network Barometer Report carried out by Dimension Data found that clients are unaware of as much as 25% of their networking devices.”
The prevalence of PSIRT 109444 illustrates that a pervasive threat can occur literally overnight. “It only takes one vulnerability to expose the entire organisation to a security breach, so organisations must do much more to protect themselves,” says Gyde. “This includes increasing the number of regular network scans to ensure that any vulnerability is picked up before it causes serious business continuity, compliance failure, or reputational damage.”
Also Read
On the other hand, the total percentage of network devices which have passed last-day-of-support (LDoS) has dropped dramatically from 31% in 2009 to 9% in 2010. However, the total amount of technology late in the obsolescence phase remains high, with the percentage of devices in late stage end-of-life sitting at a substantial 47% (see page 14 of results summary attached). This could be evidence that more organisations are choosing to sweat** assets up to, but not beyond, the highest risk lifecycle stage
Gyde says, “While some organisations appear to be ‘sweating’ network assets for financial benefits, if the cost savings aren’t weighed against the risks, they could also be exposing themselves to serious business continuity issues.”
It is not definite that the drop in the percentage of devices beyond LDoS means that organisations are choosing to push certain assets past a certain lifecycle stage. However, the results certainly suggest that clients are more aware of their network assets and are refreshing those devices where risk is greatest. The assertion that older devices are at higher risk of security breaches is acknowledged by standards and compliance bodies.
Gyde says, “If organisations detect a critical asset past end-of-software maintenance, they’re not likely to have access to the latest vendor-supplied security patches. Failure to apply patches would be a direct violation of many compliance standards, including the Payment Card Industry Data Security Standard (PCI DSS). Then the door is open to security breaches, litigation, punitive damages and even reputational loss.”
Organisations need to know where the assets are, what they do, and what the implications are when any one of them breaks and becomes unsupportable. In order to achieve this, visibility into the lifecycle status of their assets is critical, so that their age and viability can be properly assessed.
Besides the risk of network failure, IT departments may also uncover older devices that don’t support new applications and solution investments.
