While it may not constitute end times for a business, an incident that can result in stolen data, diminished customer confidence, reputational harm, compliance penalties and legal fees isn’t exactly a drop in the bucket either.
A study last fall found that the average data breach costs victim companies $15.4 million, up 19 percent year over year. Nobody in good faith wants to cost their company money because of a compromise, CEOs included.
Look, we all do dumb things. The key is learning from them and not making them habits. Because, as you know, the definition of insanity is doing the same thing over and over again – and expecting a different result.
Here is a list, in no particular order, of 12 cybersecurity mistakes you should avoid making in the current era of modern cybercrime. If something is missing from the list that you think should be on it, please drop us a note in the comments.
1) Failing to Map Where Data Flows and Lives
It can’t be said enough: Your data is your company’s lifeblood. Assessing and charting where that data flows (especially if it’s going outside of your organization), with whom it’s shared and where it lives at rest is paramount to knowing what you need to protect. When challenged with being right all the time – and the attackers typically needing to be correct just once – visibility is everything.
2) Neglecting Security Testing
Vulnerabilities reside across your databases, network and applications – and now also extend to devices like mobile and Internet of Things. These require regular testing through both automated vulnerability scanning and deep-dive penetration testing. Remember: Test, don’t guess.
3) Concentrating Too Much on the Perimeter
Prevention is not exactly an anachronism, but considering how advanced threats have become, attackers will inevitably make it through your border defenses. And once they’re inside, they will look to acquire privileges that will camouflage them as trusted users. They may evade you for a long time, unless you have strong visibility and an actionable understanding of indicators of compromise.
4) Blanking on the Basics
Oftentimes, it’s the simple things that will get you. To avoid having that “Doh!” moment, make sure all of your staff uses strong passwords (passphrases are preferred) and are following the principle of least privilege, and all of your network components are properly segmented to minimize access to confidential data, adequately configured to avoid undesirable changes, and up to date with the latest patches.
5) Disregarding Security Awareness Training
You’re likely familiar with the campaign “If you see something, say something.” Just as in the physical world, security enforcers rely on the population at large to stop attacks at their source – or at least make them aware of malicious attempts. Train your staff in everything from laptop protection to social engineering identification. And don’t forget to retrain because the scams continue to get sneakier.
6) Ignoring Security Monitoring
If you’re like most businesses, you don’t have the budget to stand up your own security operations center. But that doesn’t relieve you from needing around-the-clock monitoring and intelligence that will help you investigate automated alerts, hunt for threats, escalate serious incidents and minimize attacks.
7) Resisting Vendor Risk Assessments
Some of the most ignominious breaches of late were caused by attackers first infiltrating one of the victim company’s vendors. You must have a plan in place with the third-party entities to which you outsource to ensure that they are taking security and risk as seriously as you are.
8) Overlooking “Shadow IT”
Your endpoints are like ivy – growing mightily and quickly getting out of control. The good ol’ days of only needing to concern yourself with desktop and laptop computers are long gone. Your employees are now accessing so-called shadow applications and devices that are not supported by IT. If you can’t stop it, at least don’t be blind to it. First profile your risk, then institute controls.
9) Thinking it’s Just About Malware
Malware is still a critical part of attackers establishing their initial foothold. But once inside, they often use different strategies to laterally advance across your network. In many cases, that means flying under the radar by using legitimate administrator or ethical hacking tools to harvest sensitive data and detect vulnerabilities.
10) Believing a Breach Won’t Happen to You
Perhaps you’re still holding out hope that cybercriminals will show you mercy and pass over your business, but the reality is that companies of any size are targets. Preparing your defenses to also include response will help you react faster and minimize the fallout if – or more likely, when – your day comes.
11) Dismissing Your Bosses and the Boardroom
Security maturity is the holy grail of any infosec professional’s job objectives. In instances where businesses have reached high levels of maturity, security is ingrained in the culture, from the corner offices on down. Obtaining boss- and board-level support may be uncomfortable, but in today’s climate, it is imperative.
12) Trying to Do It All On Your Own
The cybersecurity skills shortage is no joke. Estimates place the worldwide shortage at one million positions and growing. Whether you’re a small business that lacks any security skills at all, or a larger outfit that needs help enhancing certain areas like penetration testing, security monitoring or incident response, doing more with less just isn’t going to work.
Partnering with a managed security services provider like Trustwave is a viable option. And such an arrangement doesn’t have to result in reduced headcount either – it just means you and your team can instead focus on and expedite IT projects that will have real effect on the top line of your business, while leaving security responsibilities to someone else with deep expertise and scale. This can actually result in elevated job security for your IT staff and fewer worries over losing a skilled in-house security staffer due to the industry’s notoriously high turnover.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.