Cybersecurity teams in the United Kingdom are struggling to manage cyber threat information and navigate complex government regulation, while a lack of policy enforcement is allowing employee behaviour to leave businesses exposed, according to new research today.

Asset intelligence cybersecurity company, Armis, undertook the research, which surveyed security and IT decision-makers, found that the employees of more than two in three (67%) organisations are introducing risk to the business by downloading applications and software onto assets without the knowledge or management of IT or security teams.

Furthermore, many organisations (39%) admit to feeling challenged by the UK’s increasingly complicated regulations and governance requirements.

“Companies need to rapidly adapt to new stringent regulations that are moving away from traditional check-the-box obligations. This requires teams to quickly understand their organisation’s corresponding capability gaps, the path to compliance, and to convince other teams required to achieve compliance to prioritise such efforts. This is by no means easy” said Curtis Simpson, CISO, Armis. “ Lack of policy enforcement can contribute to gaps requiring urgent remediation while also further complicating an organisation’s attack surface. Preventing material compliance and security breaches requires a focus on the foundational, with the business in mind: policy adoption and enforcement, contextual asset visibility and monitoring, exposure and vulnerability prioritisation and remediation.”

The research found a high number of assets in the company environment remain unseen, unmanaged and lack appropriate security measures. Without the correct asset context and policy enforcement, only a partial view of the attack surface is achieved.

Key findings from the research,  which was commissioned with Vanson Bourne, include:

• Around 45,000 assets are connected to UK organisations’ networks on average on a given business day.
• Over a third (39%) of respondents indicated a lack of complete visibility over company owned assets connected to the business environment, and 42% reported a lack of control and management over these assets.
• Over three quarters (77%) of respondents indicated a lack of visibility over employee owned assets connected to the business environment, and 78% reported a lack of control and management over these assets.
• There are gaps in the enforcement of BYOD policies, with only one in two (51%) of organisations having a BYOD policy that is enforced across all employees.
• 69% of respondents acknowledge their organisation needs better policies and procedures in order to deal with security vulnerabilities.

The study said prioritising remediation of vulnerabilities is jeopardised by an absence of automation for threat intelligence, leaving an open door for malicious actors.

UK respondents reported using eight different sources to collect data relating to threat intelligence, with 52% to 55% of processes related to threat intelligence automated, which means that a lot of the work needed to make use of the intelligence sources is a manual effort.

Just over half (51%) of the threat intelligence information gathered is actionable and this is leading to one in four (25%) UK cybersecurity teams feeling overwhelmed by the cyber threat information they receive. Only 39% of UK organisations suffered a security breach as part of a cyberattack in the past 12 months.

“Organisations need to prioritise security across the entire organisation, including employee-owned devices, to mitigate risk,” said David Critchley, regional director UKI, Armis. “This can’t be done manually, there are just too many assets with potentially unknown vulnerabilities. That’s why automation is absolutely key to help bridge the security skills gap, manage the security posture at scale and see, protect and manage the entire attack surface.”

Armis which surveyed security and IT decision-makers, found that the employees of more than two in three (67%) organisations are introducing risk to the business by downloading applications and software onto assets without the knowledge or management of IT or security teams.