A new study warns that the vast majority of organizations still struggle with security hygiene and posture management, and 69% of organizations admit they had experienced at least one cyberattack that started through the exploit of an unknown or unmanaged internet-facing asset, including software, cloud-based workloads, user accounts, and IoT devices.

The study, conducted by the Enterprise Strategy Group on behalf of JupiterOne, found that 86% of organizations believe they follow best practices for security hygiene and posture management. However, 70% of organizations say they use more than 10 security tools to manage security hygiene and posture management, which raises concerns about data management and operations overhead.

“The data demonstrates that many organizations continue to address security hygiene and posture management tactically on a technology-by-technology basis,” said Jon Oltsik, principal analyst and ESG Fellow, who wrote the report. “ESG believes that CISOs should take a more holistic approach to security hygiene and posture management by adopting technologies and processes for discovering assets, analyzing data, prioritizing risks, automating remediation tasks, and continuously testing security defenses at scale.”

In a dramatic, but unsurprising finding, some 73% of security professionals admit they still depend on spreadsheets to manage security hygiene and posture at their organizations. As a result, 70% of respondents say that security hygiene and posture management had become more difficult over the past two years as their attack surfaces have grown.

With cloud migration and business agility as the strategy of the decade, it’s not terribly surprising that most organizations have lost control over what their internet-facing perimeter consists of, said Oliver Tavakoli CTO at Vectra. “The ease with which developers can stand up new services and expose them to the internet is one of the realities of the epoch we find ourselves in,” Tavakoli said.

Jake Williams, co-founder and CTO at BreachQuest, said for several years, we’ve known that hardware and software inventory are the pillars of a cohesive security architecture. That’s why hardware and software inventory have been No. 1 and No. 2 on the prioritized list of CIS Critical Security Controls for as long as anyone can remember, Williams said.

“Given the ease with which assets can be provisioned in cloud environments, it’s no surprise that many of those assets end up constituting an unmanaged attack surface,” Williams said. “Many organizations provision cloud assets from images they did not build themselves, such as using base images from Docker Hub. Because they didn’t build the original image, they are often unaware of the underlying software components and as such fail to perform adequate vulnerability management.”

Bud Broomhead, CEO at Viakoo, said as the attack surface has shifted to unmanaged and IoT devices, the traditional IT approaches simply don’t work. Broomhead said it’s not the number of tools used, it’s whether they are the right tools, and many organizations are just beginning to deploy patching, certificate, and password solutions that can work with both unmanaged and IoT devices.

“It’s not surprising that 69% majority of organizations have experienced an incident, but without using cyber hygiene solutions specifically designed for unmanaged and IoT devices, these numbers will continue to grow,” Broomhead said.

John Bambenek, principal threat hunter at Netenrich, added that it isn’t surprising that so many organizations were breached because of an unknown or unmanaged internet-facing resources.

“The legacy of DevOps and agile development has been little if any security review, much less change control, before things ship to production,” Bambenek said. “When engineers tout innovation under the mantra of ‘go fast and break things’ that’s exactly what happens. But on the bright side, I have unlimited job security, so there’s that.”