Here are four ways organizations can improve their cyber-hygiene and their overall security posture
According to one study, 60% of IT professionals said their organization had suffered at least one serious security breach in the last two years. While that number is alarming, it’s not surprising, considering companies are under an endless barrage of attacks, with an average of roughly one attempt every 39 seconds. While the vast majority don’t make it through, those that do can have a have an exceptionally high cost, which is expected to exceed $150 million on average and could cost businesses more than $2 trillion cumulatively this year alone.
Faced with such a looming and seemingly insurmountable threat, some companies are spending obscene amounts of money to protect their organizations. Global cybersecurity spending has already grown 35X over the last 15 years and is expected to top $1 trillion by 2021.
But is all of that spending even necessary? A new study commissioned by 1E, “Getting Your House in Order,” shows that cyber-hygiene practices are sorely lacking in many organizations, meaning investing in the latest and greatest security product or service could be a complete waste of money. As much as I hate to be the bearer of bad news, there’s a good chance you could be throwing money down the drain by ignoring these four critical cyber-hygiene areas:
Training, From Board-level Down
The human factor is well-known to be the weakest link in security, with some 95% of breaches attributable to human error, mostly through phishing and social engineering. And, in a recent study, “The Software Arms Race: The Struggle to Support the Modern Business,” 30% of IT security professionals said a lack of board-level cybersecurity awareness is the main cause of breaches. Rather than treating your people as a liability, make them the solution through robust training that empowers them to be your first line of defense.
It’s one thing to tell people what to do or what not to do. The real impact happens when you can help them to understand why those rules are in place. But, in many organizations, confusion is a problem: More than half of those surveyed in the “Getting Your House in Order” study said employee confusion about protocols causes security breaches. Embracing cybersecurity as part of your company’s culture is an absolute must. You can’t just lay down the law and say, “Do this, or you’ll be fired.”
Helping employees to understand that they’re part of the security team, a critical link in the defense, can make them more invested and more vigilant and prevent them from feeling like security rules are an impedance to getting their work done. For example, did you know that your employees could be putting your organization at risk through their social media use, even if it happens off-property, on their own time? This is especially true with LinkedIn, where your security folks indicate that they’re part of the IT security team. Identifying themselves as such can make them a high-value target for hackers, who may attempt to connect professionally and pose as a “friendly” in a social engineering hack. Instilling global awareness of these hidden risks can substantially amplify security.
Security Updates and Patching
The “Getting Your House in Order” study also found that more than half of IT security pros say that unpatched software is the primary cause of breaches within their organizations. And, they’re not alone. Known, unpatched vulnerabilities have been the entry point for many of the most recent and most damaging attacks in history.
Keeping the operating system and third-party software up-to-date across hundreds or thousands of PCs is a gargantuan task, made even more difficult in today’s era of bring-your-own-device, remote work and frequent staff travel. Not to mention, it’s not uncommon for employees to download and use their own software, of which IT is completely unaware. This entire scenario makes patching and updates extremely difficult and time-intensive—it takes time to configure, deploy and test each patch, and there are a lot of patches to deal with.
There are two ways to combat this:
1) Assemble a dedicated team whose mission is to deal with patching and upgrades. This allows them to devote the resources and time required to critical function, while not taking away from other security and/or operations tasks. You might even consider incentivizing these teams for meeting certain metrics, such as maintaining a specific percentage of machines patched or applying patches within a certain period, for example.
2) Give them the tools they need to get the job done. Manually applying patches to thousands of machines would be impossible, even for a dedicated team, and some 45% of Ops teams say automated tools would improve their ability to support security when it comes to patching. Implementing solutions to automate system monitoring, queries and patch deployment can give you a tremendous advantage in beating cybercriminals to the punch in locking down vulnerabilities.
Zero Trust Policy
It used to be that once an employee logged into their system, they were trusted throughout. Unfortunately, in today’s dynamic cyber landscape, that trust factor can no longer be trusted. Credentials can be swiped in an instant. Laptops are left open and unsecured. In fact, identity management is widely recognized to be one of the biggest risks to corporate security. Companies must implement mandatory authentication requirements throughout the organization and at every step. While this might seem like a roadblock to productivity for employees, the alternative is much worse. In the event of a breach, downtime and lost productivity are the single biggest costs to the organization. You simply can’t afford to not implement solid authentication procedures.
While these four tactical areas are critical for beefing up cyber-hygiene, implementing an integrated strategy that brings IT operations and IT security together and working toward the same goals must be part of the solution. In more than a third of organizations, a lack of understanding between Ops and Security is one of the top challenges to achieving security goals, according to the survey. We simply must get these two working toward the same targets for the greater good of the organization.
By creating a symbiotic relationship, working together in tandem to build security in from the beginning, IT security and operations teams can avoid the finger-pointing and “stop and wait” that often stands in the way of implementations, remediation and a cohesive security posture. After all, your technology is only as strong as the people behind it. Getting everyone on board can make those investments in software and solutions generate a much more justifiable ROI.