Can enhanced asset-security management suffer from tool sprawl or encompass the use of manual spreadsheets? One survey gathered some international data…

In a May and June 2023 survey of 900 IT security and IT decision-makers from around the world* on the topic of attack surface management, the data showed that, with their organizational attack surface growing in size and complexity, respondents needed to do more to reduce corporate exposure to further risk.

For the 100 respondents from Singapore, the data showed:

    • 70% cited they had been breached at least once over the last 12 months (versus 61% in the overall data average)
    • 26% cited they had experienced multiple breaches in the same period (versus 31% in the overall data average)
    • 43% of those citing experiencing one or more breaches in the last 12 months indicated facing operational downtime, 37% experienced financial loss, and 30% suffered productivity loss and/or data loss.

At the international level, the data showed:

    • 50% of respondents cited having complete control/management of the organization-owned-and-managed assets currently connected to their network. For employee-owned assets the percentage was 37%.
    • 60% (on average) of the assets connected to the network were cited by respondents to be monitored, and 40% were unmonitored, on the corporate network.
    • 99% of respondents cited they were using some kind of tool to manage the assets which are connected to its network.
    • 9 was the average number of different tools that respondents cited they were using to manage connected assets, consisting of: configuration management databases (58%), mobile application management (57%) and SaaS visibility solutions (56%). In 45% of respondents, 10 or more tools were cited being used.
    • 44% of all respondents cited using manual spreadsheets to manage connected assets.
    • 75% of respondents cited that their organization’s employees were able to bypass security and download applications and software onto assets without the knowledge of IT or IT security teams at least “some of the time”; another 25% cited that this was “happening all the time”.
    • 29% reported that their cybersecurity teams were currently overwhelmed by cyber threat information.
    • Generally, respondents were struggling to prioritize their cybersecurity efforts and minimize threats due to a lack of visibility over their environment, and the use of a high number of asset management tools and threat intelligence sources that were “too reliant on manual processes”

According to Gwen Lee, Regional Director (APJ), Armis, the firm that commissioned the survey: “Currently, there is an inadequacy in the traditional security measures being used to combat the high volume and frequency of increasingly sophisticated attacks. This needs to be addressed to ensure protection and continuous operation for all industries.”

The firm’s CISO, Curtis Simpson, commented: “Attackers will look to exploit any weakness possible to gain access to an organization’s network. Security teams must be able to continuously understand, prioritize and lead the organization through the incremental remediation of risks and exposures of greatest potential strategic and operational impact. The responsibility lies on organizations to ensure that they have the needed oversight to see, protect and manage all physical and digital assets based on what matters most to their business.”

* Organizations with 1,000 or more employees across the US (250 respondents), the UK (150 respondents), France (150 respondents, Germany (150 respondents), Australia and New Zealand (100 respondents) and Singapore (100 respondents)