How much can poor network configuration cost businesses? By leaving them exposed to risk, the result of mistakes or carelessness can cost organisations dearly. This is suggested by a recent Titania study, which assessed how firewalls, switches and routers are being configured among 160 US organisations in the military, government, oil and gas, telecommunications and financial services sectors. Senior-level cybersecurity decision-makers were asked how they detect and mitigate vulnerabilities in this network equipment and how confident they feel about the secure configuration. Even though network professionals feel confident in their security and compliance practices, the data suggests they leave their organisations exposed to risk. "Interestingly, the same respondents also reported that their organisations do not review switches and routers when checking for misconfigurations, that checks are typically performed annually, and that budgets have increased year over year, but this has had little or no impact on the volume of critical misconfigurations detected on their networks," the report says. Respondents shared that their budgets have increased, especially in the last two years, but this has had little effect. Half of the organisations have seen no change in the number of critical misconfigurations since last year. Some companies are not reducing their attack surface effectively, prioritising firewall security and a rapid response capability in the event of misconfigurations detected in annual audits. The issue is that switches and routers are included in only 4% of audits and these devices rightly play an important role in reducing the attack surface and preventing malicious lateral movement across networks. Respondents also indicated that financial resources allocated to network configuration - which currently represents around 3.4% of the total IT budget - and the lack of automation are limiting factors in managing the associated risks of configuration errors. Resource: Titania Specifically, the survey also revealed that: Misconfigurations cost organizations millions - on average 9% of annual revenue, but the real cost is likely even higher. In addition, misconfigurations, including those that create critical security risks, can remain hidden for months or even years between audit periods, leaving the business vulnerable to attack. And while budgets may increase annually, there is little or no impact on the number of critical misconfiguration cases detected on networks. Resource: Titania Compliance is a priority for 75% of organizations across all industries that see their business depending on compliance to ensure security. Almost all reported that they are meeting security and compliance requirements. However, this is at odds with several survey findings and reports that show a decline in organizations maintaining full compliance with data security standards. For example, a report by Verizon showed that only 27.9% of organisations globally maintained full PCI DSS compliance in 2019, a record drop for the third year in a row. Prioritizing remediation is a challenge. Three-quarters (75%) said their network security tools could classify and prioritize compliance risks "very effectively. However, 70% reported difficulty in prioritizing remediation based on risks, and that imprecise automation is the main challenge to meeting security and compliance requirements. Routers and switches are often neglected. Most organizations (96%) prioritize configuring and auditing firewalls, but not routers or switches. Only 4% evaluate switches, routers and firewalls. Under Zero Trust best practices, routers and switches play a vital role in network segmentation, a key mitigating technique to stop the lateral movement of network attackers. Beware of criminals Misconfiguration can be a great ally for criminals. One of the key revelations of a recent Microsoft survey was that the vast majority (80%) of ransomware attacks exploited common configuration errors in equipment or software as an invasion tactic. The second edition of Cyber Signals focused on the rise of the ransomware-as-a-service (RaaS) economy and how it has evolved to become a profitable business model. "These attacks follow a model of gaining initial access through malware infection or vulnerability exploitation and then stealing credentials to gain privileges and move laterally," the report said.