Armis Research Finds U.K. Organisations Challenged by Enhanced Regulations and a Lack of Policy Enforcement Causing Risk Exposure

LONDON – November 7, 2023 – New research from Armis, the asset intelligence cybersecurity company, found that cybersecurity teams in the United Kingdom are struggling to manage cyber threat information and navigate complex government regulation, while a lack of policy enforcement is allowing employee behaviour to leave businesses exposed.

The research, surveying security and IT decision-makers, found that the employees of more than two in three (67%) organisations are introducing risk to the business by downloading applications and software onto assets without the knowledge or management of IT or security teams.

Furthermore, many organisations (39%) admit to feeling challenged by the U.K.’s increasingly complicated regulations and governance requirements.

“Companies need to rapidly adapt to new stringent regulations that are moving away from traditional  check-the-box obligations. This requires teams to quickly understand their organisation’s corresponding capability gaps, the path to compliance, and to convince other teams required to achieve compliance to prioritise such efforts. This is by no means easy” said Curtis Simpson, CISO, Armis. “ Lack of policy enforcement can contribute to gaps requiring urgent remediation while also further complicating an organisation’s attack surface. Preventing material compliance and security breaches requires a focus on the foundational, with the business in mind: policy adoption and enforcement, contextual asset visibility and monitoring, exposure and vulnerability prioritisation and remediation.”

Key findings from Armis research, commissioned with Vanson Bourne, include:

A high number of assets in the company environment remain unseen, unmanaged and lack appropriate security measures. Without the correct asset context and policy enforcement, only a partial view of the attack surface is achieved.

• Around 45,000 assets are connected to U.K. organisations’ networks on average on a given business day.
• Over a third (39%) of respondents indicated a lack of complete visibility over company owned assets connected to the business environment, and 42% reported a lack of control and management over these assets.
• Over three quarters (77%) of respondents indicated a lack of visibility over employee owned assets connected to the business environment, and 78% reported a lack of control and management over these assets.
• There are gaps in the enforcement of BYOD policies, with only one in two (51%) of organisations having a BYOD policy that is enforced across all employees.
• 69% of respondents acknowledge their organisation needs better policies and procedures in order to deal with security vulnerabilities.

Prioritising remediation of vulnerabilities is jeopardised by an absence of automation for threat intelligence, leaving an open door for malicious actors.

• U.K. respondents report using eight different sources to collect data relating to threat intelligence.
• Just 52% to 55% of processes related to threat intelligence are automated,  which means that a lot of the work needed to make use of the intelligence sources is a manual effort.
• What’s more, just over half (51%) of the threat intelligence information gathered is actionable.
• This is leading to one in four (25%) U.K. cybersecurity teams feeling overwhelmed by the cyber threat information they receive.
• 39% of U.K. organisations suffered a security breach as part of a cyberattack in the past 12 months.

“Organisations need to prioritise security across the entire organisation, including employee-owned devices, to mitigate risk,” said David Critchley, Regional Director UKI, Armis. “This can’t be done manually, there are just too many assets with potentially unknown vulnerabilities. That’s why automation is absolutely key to help bridge the security skills gap, manage the security posture at scale and see, protect and manage the entire attack surface.”

To read the full research report from Armis, including a global view of this data and comprehensive breakdown for each region, please visit: https://www.armis.com/attack-surface-management

Learn about how Armis Centrix™, the AI-powered cyber exposure management platform, is enabling organisations to address these critical cybersecurity challenges here: https://www.armis.com/platform/armis-centrix/

Methodology and Demographics
Armis commissioned independent market research agency Vanson Bourne to conduct research into attack surface management within enterprise organisations. The study surveyed 900  IT security and IT decision-makers in May and June 2023 from organisations with 1,000 or more employees, including 150 respondents in the U.K., and others across the U.S., Germany, France, Singapore, Australia and New Zealand. Respondents were from organisations across all public and private sectors. All interviews were conducted using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate.

About Armis
Armis, the asset intelligence cybersecurity company, protects the entire attack surface and manages the organisation’s cyber risk exposure in real time. In a rapidly evolving, perimeter-less world Armis ensures that organisations continuously see, protect and manage all critical assets. Armis secures Fortune 100, 200 and 500 companies as well as national governments, state and local entities to help keep critical infrastructure, economies and society stay safe and secure 24/7. Armis is a privately held company headquartered in California.