You want to work with vendors, but doing so can involve risk. Which vendor cyber gaps are the most common, and how can they be remediated?
To answer these questions, Panorays used data from our cyber posture evaluations of tens of thousands of vendors from numerous industries over long periods of time. We extracted the findings that appeared in a large percentage of the companies and omitted obvious low-risk findings that recur in all companies, such as missing recommended HTTP response headers. We focused on cyber gaps that may have a real effect on the resilience of the vendors, and thus the organizations themselves.
Here are the cyber gaps that we found, the number of companies affected by them and how your vendors can fix them:
1. Significant web assets not protected by WAF
Companies affected: 48%
Websites and apps are targeted by a wide range of attacks—from scraping and DDoS to injections and cross-site scripting. Web Application Firewalls (WAF) have become a must-have for basic protection.
Tip: The emphasis here is on significant. Not every asset requires the same amount of security measures. However, critical web assets (e.g. handling payment data) require protections such as Web Application Firewalls.
2. Unpatched web server with severe vulnerabilities
Companies affected: 40%
Patch management is a very common and painful subject in the security world, because it involves a great deal of effort and can impact business continuity. Moreover, employees who work from home are often reluctant to patch, because they are concerned about the possibility of being left without a work station. For these reasons, we see that the majority of companies are struggling to patch against known critical vulnerabilities.
Tip: In many cases, attacks against unpatched technologies are opportunistic, rather than targeted. For this reason, it may be advisable to start with other less costly mitigations like obscuring tech versions, virtual patching and WAF.
3. Vulnerable default CMS configuration
Companies affected: 34%
Content Management Systems like WordPress are widespread, and so are their security vulnerabilities. Many users don’t change default configurations like passwords, user exposure and login pages, which leaves them vulnerable to cyberattacks.
Tip: Each CMS solution has a security guide that should be followed to make sure security best practices are used.
4. Insufficient security team personnel
Companies affected: 31%
Dealing with the abundance of security responsibilities in today’s organizations requires resources. Dedicated teams focusing on, for example, the CISO office and SOC, should be put in place and properly staffed to handle the increase in incidents and cyber-related tasks.
This category did not appear as one of the top five cyber gaps in 2019, which begs the question: Why has this become more common? It’s possible that this is the result of the significant employee cutbacks that we’ve seen because of COVID-19.
Tip: Educate yourself on best practices for your industry and company size for building a strong security team.
5. Supporting deprecated SSL protocols
Companies affected: 25%
A surprisingly high percentage of companies still support deprecated and vulnerable protocols like SSL v2. This could be a single asset in a company with thousands of assets. These protocols have been deprecated for years and practically disable the advantages of encryption and authentication.
Tip: Companies should be able to easily remediate this gap. This shouldn’t be an issue of supporting legacy clients, as TLS, which replaces SSL v2, has been available since 1999.
While the above are the most common cyber gaps we found, there are many more. Because technology keeps on evolving, new vulnerabilities are constantly being introduced, leading to new cyber gaps that can be exploited by criminals. For this reason, it’s important for organizations to assess and continuously monitor vendors to uncover all cyber gaps and close them.
Click here to download the full report.
