New research from Armis found that cybersecurity teams in the United Kingdom are struggling to manage cyber threat information and navigate complex government regulation, while a lack of policy enforcement is allowing employee behaviour to leave businesses exposed. 

The research, surveying security and IT decision-makers, found that the employees of more than two in three (67%) organisations are introducing risk to the business by downloading applications and software onto assets without the knowledge or management of IT or security teams. 

Furthermore, many organisations (39%) admit to feeling challenged by the UK’s increasingly complicated regulations and governance requirements. 

“Companies need to rapidly adapt to new stringent regulations that are moving away from traditional check-the-box obligations. This requires teams to quickly understand their organisation’s corresponding capability gaps, the path to compliance, and to convince other teams required to achieve compliance to prioritise such efforts. This is by no means easy” said Curtis Simpson, CISO, Armis. “ Lack of policy enforcement can contribute to gaps requiring urgent remediation while also further complicating an organisation’s attack surface. Preventing material compliance and security breaches requires a focus on the foundational, with the business in mind: policy adoption and enforcement, contextual asset visibility and monitoring, exposure and vulnerability prioritisation and remediation.” 

Key findings from Armis research, commissioned with Vanson Bourne, include: 

A high number of assets in the company environment remain unseen, unmanaged and lack appropriate security measures. Without the correct asset context and policy enforcement, only a partial view of the attack surface is achieved. 

• Around 45,000 assets are connected to UK organisations’ networks on average on a given business day. 
• Over a third (39%) of respondents indicated a lack of complete visibility over company owned assets connected to the business environment, and 42% reported a lack of control and management over these assets. 
• Over three quarters (77%) of respondents indicated a lack of visibility over employee owned assets connected to the business environment, and 78% reported a lack of control and management over these assets. 
• There are gaps in the enforcement of BYOD policies, with only one in two (51%) of organisations having a BYOD policy that is enforced across all employees. 
• 69% of respondents acknowledge their organisation needs better policies and procedures in order to deal with security vulnerabilities. 

Prioritising remediation of vulnerabilities is jeopardised by an absence of automation for threat intelligence, leaving an open door for malicious actors. 

• UK respondents report using eight different sources to collect data relating to threat intelligence. 
• Just 52% to 55% of processes related to threat intelligence are automated, which means that a lot of the work needed to make use of the intelligence sources is a manual effort. 
• What’s more, just over half (51%) of the threat intelligence information gathered is actionable. 
• This is leading to one in four (25%) UK cybersecurity teams feeling overwhelmed by the cyber threat information they receive. 
• 39% of UK organisations suffered a security breach as part of a cyberattack in the past 12 months. 

“Organisations need to prioritise security across the entire organisation, including employee-owned devices, to mitigate risk,” said David Critchley, Regional Director UKI, Armis. “This can’t be done manually, there are just too many assets with potentially unknown vulnerabilities. That’s why automation is absolutely key to help bridge the security skills gap, manage the security posture at scale and see, protect and manage the entire attack surface.” 

To read the full research report from Armis, including a global view of this data and comprehensive breakdown for each region, please visit: https://www.armis.com/attack-surface-management