I saw this study recently, where most people think they are better-than-average drivers in the US. I thought about it myself afterward, and I think I’m maybe average. I do pay attention most of the time, I try to be more careful when it’s wet or snowy and give myself more time to slow down. I try to be aware of the other cars and obstacles on the road. I also usually have a drink (coffee, soda, water) with me, and I certainly mess with the music player. The Tesla reminds me constantly when I’ve strayed near a line, so a few months of driving seems to tell me I’m not great. Certainly not above average.
I would expect that most of us think we’ve done a good job with security for our systems. We don’t expect to get hacked or deal with ransomware. I don’t know how realistic that is, as a recent set of penetrations tests shows the vast majority of networks are vulnerable.
It sounds bad, and it is. It also is not likely to change as the complexity of many networks is high. There are so many devices, constant additions and changes to services and applications, and regular requests to grant access to a new group. It’s amazing there is any security at all, given how quickly people want to access systems and how impatient they are when they can’t connect.
The data doesn’t show that every system is wide open, but there are ways in which every network can be disrupted. Whether this is significant or not is hard to assess, but given the reports I see in media, as well as private notes from friends, I suspect that most companies have plenty of work to do.
It’s not all had work, however. I think many people that configure networks are careful and are wary of opening firewalls. The bigger problem, which continues to exist, is likely simple passwords from far too many people. That, combined with a lack of multi-factor authentication being rolled out, means that there a lot of simple changes that could make a big difference. I know my company rolled out a corporate password manager recently to all employees. This, combined with our MFA app on mobile devices means that we should have strong passwords and better verification of legitimate access for most systems.
At least, I hope we do.