InfoSec World 2020 – An analysis of more than 100 risk self-assessments conducted by business organizations across a cross-section of industries revealed that over 65 percent admitted to achieving zero-to-minimal compliance of U.S. state data privacy and security regulations, including myriad breach laws and the California Consumer Privacy Act.

The discouraging findings show that business organizations are still playing catch-up when it comes to adhering to standards and implementing other fundamental cybersecurity protections.

Another 27 percent of businesses said they had only partial compliance with privacy and security regulations. “If you’re not currently meeting them as part of your business, you’re not alone,” said Kevin Ricci, principal at accounting and business consulting services firm Citrin Cooperman, which developed the self-assessment tool, called SCORE (Score Compliance Operations Risk Evaluation).

“There are certainly many, many companies out there that have yet to go ahead and implement whatever is needed to meet the right requirements, said Ricci, who reviewed the self-assessment findings in a virtual presentation today at the CyberRisk Alliance’s InfoSec World 2020 digital conference. “A lot of companies, unfortunately, take the approach of ‘I’m going to roll the dice’ or ‘I’m going to do the best I can, and I may not be meeting 100 percent of the regulations, but I’m meeting 50 percent and it’s my best effort.’ Unfortunately, that’s not going to help after a data breach occurs. Those fines and penalties don’t take that into consideration.”

Compliance with Payment Card Industry was even less impressive: 72 percent of companies that took the SCORE test said that had minimal or no compliance with PCI data security standards, and 20 percent had only partial compliance.

Another major area of deficiency is security training and awareness: 48 percent of organizations said they provided none to employees, and 81 percent said they don’t conduct spear phishing testing.

Additionally, “We find that companies are not providing additional focus training to people that have access to PII, PHI or other sensitive information,” said Ricci. “They’re a little bit more of a target, if you will, than a typical employee and the data that they’re handing is much more sensitive typically.”

Asked what they would do if they were attacked with ransomware, a whopping 93 percent of organizations said they would wipe their infected systems and restore from backups, while a mere seven percent admitted they’d pay the ransom.

However, this may have been wishful thinking. Ricci noted that 11 percent said they actually don’t perform any offsite backups, “which is pretty terrifying because all your eggs are in one basket, and if things go wrong it could mean the end of your company, or at least the data you’re holding there,” said Ricci.

And 45 percent said they do not test the viability of their backups. “Even if it’s just a few sample files, even if you’re not restoring an entire database, give yourself something, some modicum of comfort, that your data can be basically accessed in the event that there was a disaster,” Ricci advised.

Indeed, an undisclosed number of companies that took the SCORE assessment were later attacked by ransomware and were forced to pay up. Ricci said 68 percent actually restored their files from backups, while 32 percent paid the ransom after all.

“We’ve had some clients that actually brought in cyber attorneys and they were able to negotiate what those ransoms were. “We had one client that was hit with a $250,000 ransom. They did not have good backups,” said Ricci. “They brought in a negotiator, opened up a channel of communication and they were actually able to get the ransom down to $100,000, which is still crazy and terrifying, but quite a bit better than the quarter of a million.”

Ricci does not advise paying the cybercriminals. “My recommendation is certainly having great backups and great training to avoid or be able to respond to this without having to pay,” said Ricci, also noting that many organization also lack a plan of action if a cloud vendor is impacted by ransomware.

Password length was another issue: 55 percent of businesses said their employees require password lengths of only four-to-seven characters, and 33 percent required eight-to-10.

Any password with eight characters or below using a pool of 95 characters can be cracked in less than a day, noted Ricci. And a smaller pool of available characters requires even longer passwords.

Nine percent of organizations also said they never change passwords.

One area where Ricci said Citrin Cooperman has seen recent improvement is the use of multifactor authentication to protect remote connectivity (through VPNs, for instance). Such safeguards have become especially important under the work-from-home conditions created by the Covid-19 pandemic.

Nearly half of the organizations – 49 percent, said they have introduced MFA for remote connectivity. “It’s come a long way over the last year or so, as the solutions become easier, less intrusive to the end user it’s much easier to use so again thankfully we’re seeing that climb up to a better place,” said Ricci.

Other notable statistics from Ricci’s presentation:

  • 79 percent of organizations said they have not obtained and evaluated a SOC report for their cloud applications
  • 35 percent of organizations said they never review their logs
  • 62 percent of organizations acknowledged still running the unsupported Windows Server 2008 operating system in 2020 and 54 percent said they were still running the unsupported Windows 7 OS