Lack of Hardened Benchmarks Leads to Poor Cyber Hygiene

The Center for Internet Security (CIS) refers to an organization's implementation of security controls as its “cyber hygiene,” but a new survey finds that nearly two-thirds of organizations are not practicing good cyber hygiene habits as they have no established benchmarks for implementing security controls.  The new State of Cyber Hygiene Report by Tripwire surveyed 306 IT security professionals to learn if and how organizations are implementing security controls. Conducted in July 2018 in partnership with Dimensional Research, the survey found that almost two-thirds of organizations admitted that they do not use hardening benchmarks, such as CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline. “These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience," said Tripwire’s Tim Erlin, vice president of product management and strategy, in a press release. "It's surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward." Maintaining visibility of their environments is an ongoing challenge for many organizations, which makes it difficult for them to quickly address unauthorized potential issues. While attackers can launch a successful network attack in minutes, 57% of respondents said it takes them hours, weeks, months or longer to detect new devices connecting to their organization’s network.