Who is responsible for Active Directory security within your organization?

Over one third (36%) of IT professionals say their organizations are more vulnerable to security threats now than they were five years ago, according to a new Alsid research.

The research, carried out by YouGov in the UK, questioned 506 IT professionals working at companies with 50 or more employees. The results shine a spotlight on the current state of IT security and attitudes among security and IT professionals.

Spoiler alert: it’s not all good news, although it’s not all bad either. But while there are some seeming bright spots for IT pros in the results, some of the data may show a perception/reality gap in the minds of IT and security professionals.

For example, a combined 72% of respondents feel “fairly well” (44%) or “very well” (27%) prepared against enterprise-grade ransomware attacks. Jérôme Robert, CMO, Alsid, comments: “This confidence is nice to see, but unfortunately the everyday reality suggests a different story.

“I get the sense that if you asked all the companies which have recently been hit by ransomware if they were well prepared before those attacks, they would probably have said yes. So that confidence didn’t help them, in fact, it probably hurt them because maybe they weren’t asking the questions they could have been.”

Securing Active Directory

Ransomware attacks are just one of the many types of attacks that rely on compromising the Active Directory, which is sometimes forgotten as an element of an organization’s IT security.

Of organizations which have an Active Directory, the survey data shows that responsibility for Active Directory security is split between functions, with 27% of those IT professionals reporting that responsibility lies with the IT team, and 19% stating that the security team holds responsibility for Active Directory security.

16% of respondents said that their organization employs an Active Directory security specialist.

But 24% said that they don’t know who is responsible for Active Directory security within their organization – showing that sometimes this important function can fall through the cracks between IT and security teams.

Furthermore, just one in five (21%) IT professionals said they have followed security best practices by testing a complete Active Directory restoration successfully more than once, and then incorporating the findings into their cybersecurity policy.

16% of respondents whose organizations have an Active Directory stated that Active Directory security is not treated as a priority in their organization, whereas 31% replied that AD security is a priority, but not a top priority. 26% said that Active Directory security is treated as one of the top priorities by their employer.

Jérôme Robert, Alsid CMO, continues: “The enhanced profile of cyber threats and attacks is driving changes at the heart of IT and security functions within businesses, and I don’t think anyone can say now that security isn’t taken seriously at a senior level within companies.

“So the good news is that we’ve come a long way already, but you only need to look at the news to see that there are still gaps in security which lead to things like massively expensive ransomware incidents.

“As a central part of all enterprise information systems, the Active Directory is now the primary target for large-scale attacks – particularly in medium and large enterprises,” adds Robert.

“It’s positive to see that the perceived importance of AD security is now growing after years where it was left out in the cold and pretty much ignored. This led to it being seen as a soft target for cybercriminals, which is where we are today.

“In a weird way, the popularity of the Active Directory as an attack vector is driving knowledge and awareness and forcing companies to act. Companies are also finding that AD protection is a valuable investment because of its broad applicability right across the kill chain, and its ability to disrupt many different types of attacks.”

Changing IT/security roles

Questioned about their own roles, 42% feel that their job has become more complicated in the last two years, but only 15% feel more empowered to make decisions today than before. With a nod to the fast-moving nature of IT and security, 16% admitted that keeping track of new updates and techniques to help prevent cyber threats has become more difficult.

Turning the focus to their organizations, when asked about preparedness for certain types of attacks, a combined 29% admitted to being “not very well” (22%) or “not at all well” (7%) prepared for insider threats – an attack perpetrated by someone within the organization. This makes insider threats the highest-ranking threat in the category.

In second place, 18% said their employer was “not very well” (13%) or “not at all well” (5%) prepared for an attempted “targeted data theft”. 14% of respondents said they were not prepared for DDoS attacks, and attacks which exploit suppliers’ (third-party) access ranked fourth, with 13% stating a lack of preparedness.

Other statistics from the research

• 81% of respondents stated that preventing hackers from accessing the first computer within an organization’s network is “very important”, with 15% agreeing it was “fairly important”
• 80% agreed that responding quickly after the attack succeeded in gaining entry was “very important”, and 16% said it was “fairly important”
• For companies with an Active Directory, when asked how often it was subjected to penetration testing, 13% of IT pros said less than once every two years, 19% said more than once per year, and 21% said pen-testing the AD happened once each year