A main concern among the tech world is security. This should not come as a shock. With the number of data breaches and privacy violations on the rise each year, it is clear that a focus on cybersecurity is long overdue. In the healthcare industry alone, almost 32 million patient records were breached in the first half of 2019. This is more than double the records breached over the entire 2018 calendar year, according to the latest breach barometer report from IT security firm Protenus.
While it is a good thing that organizations are finally taking security seriously, there is a major disconnect happening with how it is defined. What most businesses consider to be security, is not really security at all. Stay with me here. Much of what enterprises consider security, tends to really be policies, maintenance, and scheduling. While all of this is important, it has little to do with the actual security of your organization.
An organization that sells data to other parties or allows the use of data by a third-party vendor should be thinking in terms of policy, not security. An example of a true security concern would be an organization’s office devices plugged into the Internet of Things (IoT). These include Linux systems, desktop open source environment, Wi-Fi, and many others acting as sources for potential attacks that exist as a result of insufficient patching and updating.
With the National Cybersecurity Awareness Month coming to a close, I wanted to highlight the need for greater technology security vigilance year-round. Security should be a 24x7x365 day job.
Today’s Cyberthreat Environment
I am going to level with you. Today’s cyberthreat environment is fairly bleak. It is clear that companies of all sizes need to stay on high alert, because hackers have no intentions of slowing down. In fact, they are becoming more aggressive and sophisticated as time continues.
Vendors have started to develop more robust technology in hopes of outsmarting cyber criminals. It is true, technology is getting better and more helpful every day. It nonetheless contains a major liability: it is only as good as the humans who use it.
Consider the exposure in late July of a breach at Capital One, which affected about 100 million individuals in the United States. According to a Justice Department and reported on by the Wall Street Journal, a Seattle hacker breached Capital One through a misconfigured firewall caused by human error. The hacker was able to exploit that misconfiguration.
This past August, Facebook reported that it left one of its databases containing 419 million records unprotected, without a password. As we look deeper at other major breaches, a large majority of them start with access stemming from weak authentication. In other words, passwords that could be hacked. Purchasing expensive and advanced security tools does not equal total security. It comes down to the people handling these tools, patches, etc., and how well they are trained.
What are we Getting Wrong with Cybersecurity?
Now that we understand today’s cyberthreat environment, it is time to unpack what we are getting wrong with cybersecurity. We know that a hackers’ skills are always advancing alongside new technology, and they are getting more targeted and sophisticated with their attacks. We also know that many breaches are due to human error.
Knowing this is a good reminder that while we can always do things to reduce risk and manage the number of cyber incidents, it is unlikely that any company will eliminate them altogether. It is also important to note that hackers prey on each enterprise’s shared greatest weakness: human behavior.
Here are other areas that we are getting wrong with cybersecurity, and what we can do to get them right.
Too Much Focus on Checking Boxes
One area where we are getting cybersecurity wrong is by mistaking policy for security. It is in the maintenance of these policies that we falter. We spend so much time managing, supporting, and checking off audit boxes, that we forget to separate the policies themselves from our overall security. They are just a piece of the larger posture.
A scenario where this may happen is if your business has 15 patches to maintain and monitor for anticipated usage. Your organization has now created so many chores for a most likely underbudgeted or understaffed IT team. Some of these may not be getting updated in a timely manner, which is causing a vulnerability that will one day lead to a cyber incident. This is typically perceived as a security incident, but in reality, this was a maintenance problem from the beginning that could have been prevented.
It may not be a possibility for all businesses, but according to the Ponemon Institute’s 2019 Cost of a Data Breach Report, the formation of an incident response team reduces the cost of a data breach by an average of $360,000.
Neglect is another area where we are getting cybersecurity wrong, whether intentional or not. Sometimes the desire to get patches completed is there, but the businesses does not provide the time to complete these tasks. Unfortunately, this can still be considered neglect and is a major reason for breaches.
While it is true that maintenance neglect opens a huge attack vector for cybercrimes, that is not to say that all security incidents stem from lack of trying. There is still identity driven cyber attacks like phishing, social engineering, spoofing, and compromised credentials.
Lack of Adoption to Security Controls
With these new forms of identity attacks, new security tools have popped up rapidly. Tools like multifactor authentication and privileged access management are useful, if implemented correctly and adopted cross-company. These security controls help to prevent active security threats centered on employee identity. Organizations should enforce adoption of them right away, although many have not yet.
This low adoption rate is attributed to employees that are opposed to change. It is also a result of the belief that these changes implemented by IT will hinder these change-averse team members. So, even when there are smart tools that every organization should implement, we still fail to adopt and get it right.
Take a look back over the last decade. It is very difficult to identify a large-scale cybersecurity incident that was not attributed to misguided attention on company policy, self-imposed neglect, or failure to adopt modern security technologies.
Now it is time to take a look at what we can do to change our behavior. It is time to start getting cybersecurity right.
How Do we Change?
We need to focus on it every day, for a simple reason: humans pose the biggest cybersecurity threat of all. These changes are not something that will happen overnight, rather they should start to be implemented little by little into the culture of your company today. Eventually, they will become second nature to the entire company and an expectation of employment. Revamping your cybersecurity starts now and never stops.
Here are a couple of tips on how to start getting cybersecurity right.
With complex systems and the pressure of keeping everything up to date, patch management consistently presents a challenge for IT-Ops and infrastructure teams. It is important to get a patch management solution in place to help automate this process.
Patching cycles are never-ending. For some systems, it can take months to install critical patches, and some never get installed. For security teams just getting started with automation, prevention efforts like automated patch management can have an immediate impact on the organization.
Preventative measures like patching are well served by automation, delivering significant returns in time savings, productivity, and improved security.
It is possible to automate every aspect of the patch management process. Starting with vulnerability discovery to patch deployment to post-patching verification and health checks. Automating these processes ultimately allows businesses to shrink vulnerability windows for reduced risk and compliance while achieving maximum uptime.
Implement Mandatory Employee Training
While your IT Security team may be up to date on the latest security and compliance best practices, without specific training, your average employee will not know how to protect against determined hackers.
Security training for employees at your business and for any subsequent third party who maintains access to any confidential data should be mandatory.
Initial security training is an important part of any new employee onboarding training, but frequency is a major factor in ensuring that employees are aware of current rules and good security hygiene. If possible, quarterly training is a recommended by security experts, as well as, training following any security incident.
These periodic training updates need to address not only basic security, but also new tactics and methods employed in other significant security breaches, as well as, identifying points of weakness unique to the employee’s role within your organization.
Flip the Script
Rather than checking off boxes and meeting the policies that are detailed on paper, live and breath security 24x7x365. Implement safety controls into your company culture and make training a regular part of working at your organization.
It is unlikely that your cybersecurity posture will be revamped overnight, or even any time soon. Yet, the quicker you make the decision to start getting cybersecurity right and working towards it every day, the less likely you are to experience a breach. You can start by understanding that human behavior is the foundation for security. This needs to be absorbed and acted on, not just during National Cybersecurity Awareness month, but all year long.
The good news is that companies have a growing awareness of the importance of their cybersecurity. But there is a still a long way to go and a clear need to invest more in cybersecurity training, education, and awareness of employees.
Get Security Right with LightEdge’s Help
LightEdge’s highly trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.
As a top-tier colocation services provider, we provide a high level of availability and reliability through secure, certified data centers and dedicated staff onsite. Our customized and scalable services give you the control, whether you need a colocation rack, cage, or custom suite now or in the future.
From a dedicated physical infrastructure to a virtual delivery model, we’ve got the compliant cloud and hosting solution for your organization. Retain the level of control you want, and the amount of data isolation you require.
With geographically dispersed facilities across all of the US power grids, our data centers are the heart of our operation and yours. We have a wide range of colocation and disaster recovery solutions delivering advanced shared infrastructure designed to enable operational and financial efficiency, reducing the burden on your IT staff.
Our LightEdge facilities are more advanced than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.
Customers turn to LightEdge to reduce risk of non-compliance, scale security, and for the predictably and cost-effectiveness. LightEdge provides customers with an extended team of experienced engineers and helps to focus resources on agility and differentiation. Are you curious how your current provider stacks up? Our security experts will provide a free security assessment to see how you measure up against the latest compliance and security standards. No risk, no commitment. Contact us today to get your free security assessment.
- Cybersecurity Break Through Infographic
- Your Business Needs A Cybersecurity Break Through
- The Future Of IT Security: What To Know And How To Survive
- Here’s How To Develop A Cybersecurity Recovery Plan
- 7 Steps For Ensuring HIPAA Compliance For Your Business
- What Is Disaster Recovery As A Service (DRaaS)?
- How To Determine If Your Business Is PCI Compliant
- Seven Common E-Commerce PCI Compliance Myths Explained
- What is Bare Metal Cloud?
- What All Healthcare Companies Need To Know About HIPAA Compliance
- PCI DSS Cloud Compliance: Your Guide to a Smooth Cloud Migration
- 6 Best Practices for Data Security in the Cloud Infographic
- Why the Cloud is Safer the CIOs Believe: 6 Best Practices for Data Security
- The Best of Both Worlds: Colocation and PCI DSS Compliance
- Ultimate Guide to a Highly Compliant Cloud Environment