For many organisations, cybersecurity is becoming an increasingly important discussion when it comes to making important business decisions. Protecting the assets of the organisation is vital, and each day companies are taking cybersecurity more seriously amid the staggering number of severe attacks that occur each day. While it is comforting that organisations are increasing resources dedicated to cybersecurity, it is also becoming even more apparent that many common cybersecurity mistakes are being made.
For Small and Medium Businesses (SMBs) who may not have dedicated cybersecurity personnel, some mistakes are understandable. However, some are quite severe and it seems that even large corporations are making these mistakes.
Mistake 1: Poor Security Awareness Training
Training is critical for any position in the workplace. If an organisation expects employees to perform their job tasks well, they should be trained. Many organisations are not dedicating enough resources to train their employees on proper security habits and behaviour in the workplace.
The most common vector that cyber attackers use is employee-related, often through email phishing, malicious email attachments or poor password security. These are problems which can only be removed through training, and all employees should be trained, including those who may not use computers day-to-day, as security also extends to physical environments.
Even when investing in proper cybersecurity awareness, it is crucial that the training is relevant to the work being carried out, and that it is regularly enforced in the workplace.
Mistake 2: Not Enough Budget
Many organisations are yet to commit enough annual budget to cybersecurity efforts, often because they haven’t been attacked (yet). It is very easy for businesses to consider cybersecurity expenses as a sunk cost, where there is no immediate return on investment, just like insurance. However, many organisations do not put cybersecurity expenses in the same realm as insurance, where it is often considered a “necessary evil” – cybersecurity is disregarded completely by some.
Organisations that do invest in cybersecurity may not be investing enough, where projects could be left incomplete, and not as effective as they should be if implemented properly. Resources could be stretched too thin and IT/security staff are unable to cover all the security needs of the organisation. The average cost of a data breach is increasing each day as attacks become larger, and the value of the data being stolen also increases. Cybersecurity expenditure should reflect this.
Mistake 3: “Attacks cannot be stopped”
This is a mistake that is becoming quite common, especially among SMBs, where the attitude toward cyber-attacks is they are “a part of life”, or “there’s nothing we can do”. This is an issue that was also reported on in one of our recent articles where it was found that half of all organisations have concluded that attacks cannot be stopped. This attitude is very concerning, and it seems that these organisations are unaware of the damage that a cyber attack is capable of inflicting on them. Negative effects include degraded reputation, loss of customers and even severe fines or lawsuits.
The majority of the attack vectors that attackers use today are well known, and strategies that have been developed to mitigate these attacks have become very mature and effective, very accessible and easy to implement. Many of these strategies can be researched in detail with some careful Google searching in articles such as those that Agilient publishes regularly. All organisations should be striving to prevent cyber-attacks.
Mistake 4: Poor Cybersecurity Proactivity and Reactivity
Even when a strong cybersecurity policy is implemented and adhered to, attacks often cannot be fully mitigated and there is a small chance that an attack may still occur. Organisations should not sit and wait for an attack to occur to find a weak spot in their security. Many organisations are not as proactive and reactive as they should be to ensure strong cybersecurity.
Proactive security could be one of the largest weaknesses in cybersecurity overall. Organisations must constantly endeavour to find problems and solutions before an attacker does. By routinely running relevant tests, scans, and audits on systems, IT and security personnel should be able to find many major security flaws well before an attacker discovers them. These regularly scheduled tests or real-time scans should be incorporated into policy and addressed routinely.
Reactivity is also a challenge facing businesses today, with the average time that it takes an organisation to respond to a breach sitting at a staggering 279 days, according to a survey conducted this year. When a data breach occurs, reaction time is critical to reducing damage and the costs associated with the attack.
Mistake 5: “We’re too small to be attacked”
When most individuals think of a cyber-attack, they may often think about very large data breaches affecting huge corporations that made world-wide news coverage, such as the Equifax data breach in 2017, or the Marriott hotel chain breach last year in 2018. However, according to the 2019 Verizon Data Breach Report, 43 percent of victim organisations were SMBs. It is rare for a cyber attacker to target only one organisation for their attack, and so attackers will often cast their net across a great number of organisations and individuals, in the hopes that they will catch an unlucky few. These often end up being SMBs with little to no security infrastructure.
Mistake 6: Weak Authentication Policy
Login credentials and login policy is a major challenge for an organisation of any size, which only grows in complexity as the organisation grows. Passwords are the foundation of cybersecurity and although authentication is difficult, it is not impossible and is becoming easier with modern tools.
Strong passwords are important, but it has been found that keeping track of strong and unique passwords for each system and service is just not viable for the average user. Enforcing regular password changes has also been found to be very ineffective, as it pushes users to engage in worse password behaviour, such as passwords written on Post-It notes or saved in a text document. It is for these reasons that investing in a password manager (such as Dashlane, 1Password or LastPass) is incredibly effective for organisations. Users must only remember a single strong password, and then the manager does the job of storing the rest, which are then accessible on all of the user’s devices. IT administrators are also able to conduct password audits and ensure that strong passwords are being used.
Multi-Factor Authentication (MFA) can also be implemented to most services to add an extra layer of protection for credential attacks. MFA will send a user a text message or notification to their mobile phone with a code that must be entered in addition to the password and, when paired with a strong password, provides security that exceeds global standards.
Mistake 7: Poor Mobile Device Policy
It is very common for organisations to provide their employees with devices that they may need to carry out their work, especially when working remotely. These devices can include laptops, phones, and removable storage. Rolling out security for these devices is a great challenge, and can be costly, but deploying these devices unsecured out into the world poses a great threat should one of the devices be lost, stolen, or accessed without authorisation (i.e. loaning, or leaving unattended).
For many organisations, especially SMBs, mobile device security can be very easily disregarded and left on the bottom of the pile. It is integral that mobile device security be discussed as soon as possible, especially if a great number of business activities rely on these devices. Starting off with simply enforcing passwords or PIN codes and encrypting the internal storage is significantly better than leaving the security up to the user. Mobile device security is a subsection of security where even some policy is far better than none. For larger organisations with larger mobile device deployments, investment in a Mobile Device Management (MDM) solution can make mobile device security a breeze, though at an increased cost.
Mistake 8: Out-of-Date Software
Updating software is commonly overlooked, as on the surface it may not seem to impact cybersecurity. “If it works, it works” is the attitude that often goes along with software and updates. Software updates have the obvious effects that impact usability, such as feature updates and stability fixes. However, many updates include critical security updates that may not be visible to the average user.
A software package could work well, and fulfil the organisation’s needs and expectations perfectly, but if there’s a large security vulnerability in the code that could be easily exploited, a threat exists. There is a significant chance that these software bugs are publicly known, and exploit attempts are already underway around the world. Software updates are very important for this reason and make up the majority of the updates that are rolled out with large and complex software packages such as operating systems and databases.
With popular software, updates are very easy and should not result in any issues if rolled out to a large deployment, however testing updates is always recommended.
Mistake 9: Trying to Implement Security Alone
This is a common cybersecurity mistake that many SMBs are making, and understandably so. IT teams are often very small with perhaps a limited skillset, and the budget is not available to take on extra personnel. By nature, the IT-savvy tend to have a very DIY attitude, where they wish to set up everything themselves in an attempt to have complete control over all aspects of an organisation’s digital systems. While the approach is admirable, it is often a very poor way to deal with data security.
In 2019, we’re in an age where “Cloud” apps are readily available, cheap, and maturing more every day. So why ignore them? Trust in these cloud providers has not grown to the point where IT teams are jumping at the opportunity to roll them out, however they are extremely viable in such cases previously described. Even in very large organisations, Cloud apps are a very good way of reducing costs. These services should be utilised where appropriate to lift the burden that comes with administrating self-hosted apps for many users. However, these services should be used only after vetting to ensure they meet the security requirements of the organisation.
Mistake 10: Untested or Non-Existent Backups
Last but certainly not least: data backups. As organisations transition their workflows to purely digital environments, data integrity and reliability is imperative. Backing up data is expensive, however given the great number of ransomware attacks that have happened in the recent past, it should be apparent that backups are necessary.
Backing up data is not only security from malicious attacks, but also security from hardware failure and user error. Regular backups, and routine testing of these backups, should be implemented as soon as possible to ensure that critical business data is not lost in one of these events.
There are many powerful backup tools that make scheduling and testing backups very simple, some of which are available for free, or at a low cost. The majority of the cost comes from the physical hardware investment but offers excellent insurance.
Do you feel that any of these common cybersecurity mistakes impact your organisation? Listed above are mistakes that Agilient’s skilled consultants can help your organisation overcome by providing expert advice and recommendations that apply to all areas of cybersecurity. For more information, feel free to contact us today.
Author: Jack Schofield, Agilient Consultant.