Of the 452 network switches examined, only 1.2% were adequately patched and configured securely. It seems network administrators are doing a slightly better job on their routers, but only 3.99% were considered up to scratch.
What's really worrying is that all of the organisations studies were subject to regular security audits by reputable firms. Some were supposedly performed in line with ISO 27000 and the PCI DSS standards, yet not one check of the network equipment firmware had been made in any of the organisations for more than three years.
Dr Wright said "It may be easier to measure compliance than it is to measure security, but spending money to demonstrate compliance does not in itself provide security."
"Until we start measuring security on a constant and consistent basis and do not just take selected aspects of an organisation's cyber security in isolation, critical systems will remain at severe risk of compromise. The existing audit and compliance industry needs to change to a cyber security monitoring approach as point-in-time solutions continue to fail us again and again," he added.
Dr Wright believes at least part of the problem is that "checkbox processes" have pushed real security efforts into the background.
In addition to his position at Charles Sturt University, Dr Wright is the Australia and Asia Pacific director of the Global Institute for Cybersecurity and Research (GICSR).