A data breach is almost inevitable because we continue to make the same security mistakes. Here are five of the bigs ones, according to experts, and why you simply have to fix them.
Expensive cyberattacks and data breaches are on the rise. Check. You know that. Enterprises must secure their networks while also accelerating digital transformation to maintain a competitive edge. Check. You know that, too.
Yet companies regularly fall victim to hackers, even when breaches are avoidable. Why?
Here are five reasons businesses fall short, according to cybersecurity experts.
1. You’re not patching fast enough.
Businesses can’t prevent every cyberattack. Most corporate networks are too large, with too many opportunities for attackers to breach them. But you leave your network open to needless attacks if you fail to implement even the basics of network architecture security properly.
Lack of basic “network hygiene,” including out-of-date software and unpatched operating systems, puts companies at unnecessary risk. Some companies continue to run old, sometimes unsupported, operating systems—such as Windows NT—which can lead to cybersecurity and compliance issues.
It’s important to put strong protocols in place to make sure all software is updated and patched in a timely manner. You should also know where your critical data resides on your network and how big the network is.
Joel Rosenblatt, director of computer and network security at Columbia University, notes that a common concern among IT professionals is that a system update or patch may break something in the overall network and disrupt IT systems. However, he warns that waiting could give your network an even bigger headache: the possibility of a zero-day exploit, an attack that happens on the same day a software weakness is discovered.
Typically, an IT department has a matter of days after a patch comes out before someone exploits it, says Rosenblatt. Hackers get the same software updates as everyone else and can reverse engineer the vulnerability to figure out how to break into systems. Although a report from the RAND Corp. says the majority of exploits take between six and 37 days to become fully functional, hackers can get the cycle time down to as little as 24 hours.
If you haven’t installed a new patch and the next email someone in your company receives is from the bad guys—a phishing email with a nasty attachment—you could have a zero-day exploit on your hands, Rosenblatt says. And that compromise could spread throughout your network.
2. You lost track of your critical data.
Smart companies realize they should align their security strategy to better protect the organization’s most critical asset: data. That requires a good understanding of where your most critical data resides and who touches it, says Kerry Bailey, CEO of eSentire, a managed detection and response provider.
It’s particularly important to know the defensive capabilities of your enterprise network and where your data is and the risk associated with it, says Bailey. “The other part is companies now tend to work with many third-party vendors that develop apps or provide services, and you need to have a good understanding of what they are doing [on your network],” Bailey adds.
Also part of good data protection management is keeping a close eye on enterprise endpoints, he notes. Attackers increasingly look for new ways to break into your network and execute code. Using solutions that monitor continuously for anomalous behavior across the enterprise is vital to identify potential attacks.
For example, Columbia’s Rosenblatt uses a system that looks at logins to the university’s network and geolocates each one based on its IP address, even identifying those connecting over a virtual private network. If Columbia’s IT staff sees a login for multiple countries within a certain narrow time period, it’s fair to assume the account is compromised.
The university mandates the use of two-factor authentication for financial transactions. As a result, if an attacker somehow acquires a password, the account remains protected by a second or third layer of authentication, Rosenblatt says.
3. You rely too much on antivirus software.
Relying solely on security at the network perimeter is risky. You may have a firewall, but email is an open doorway into your business.
Cybercriminals are just one successful phishing email away from access to your valuable data. Phishing attacks bypass most corporate cybersecurity defenses. It takes just one person to click on the wrong link or open an attachment they shouldn’t.
While the average malicious file shows up in most antivirus programs on the market, if your software doesn’t detect it, you could be in trouble. Not all antivirus software programs are created equal, Rosenblatt points out. One antivirus application might have a higher detection rate, while another might be better at blocking attacks.
A solution is to mandate that your enterprise’s mail system does not accept any executable files (ones that commonly have an .exe file extension, typically the source of cyberattacks). Although blocking executable files can be an inconvenience, in the end, it makes your network more secure. There are lots of other ways to get documents into an organization, Rosenblatt notes. For example, each user or employee can make individual arrangements with the sender to receive documents via Dropbox.
4. You don’t foster a culture of cybersecurity awareness.
Although many cyberattacks that hit the news headlines involve large well-known names, it’s wrong to assume your modestly sized business won’t be the target of an attack. In reality, cyberattackers are looking to penetrate networks in every sector of the economy.
The best way to ensure your enterprise’s security is to create a culture of cybersecurity awareness. Every employee should be aware of the threats and take pride in preventing cyberattacks. It’s important to encourage company leadership to treat cybersecurity as a business priority, says Sean Blenkhorn, eSentire’s field CTO.
Best practices include:
- Keep informed about the latest threats. It’s better to know about the dangers and do something rather than be uninformed and hope you’ll be OK.
- Understand acceptable risk. You can’t eliminate every risk, but you can reduce risk to an acceptable level.
- Communicate well. This includes both formal communication and informal communication with employees.
- Celebrate successes, especially any thwarted attacks.
The company’s business leaders and broader employee base likely don’t need to know all the technical details around cybersecurity, but they do need to know enough about the potential threats to help thwart any attacks or formulate sufficient resource planning to deal with a possible attack. This can be achieved through training sessions and educational seminars to teach everyone in the company, from the C-suite to the reception desk, how to identify threats and prevent them from happening in the first place.
5. You haven’t accepted the inevitable: You will be hacked.
Finally, companies just need to accept that they’ll be hacked eventually, says Blenkhorn. The key is making sure you have a plan to respond when it eventually happens. A cybersecurity incident response plan with a clear role for each person involved is vital, and it can help an enterprise get back on its feet more quickly.
Companies need to place security at the center of their business operations, says eSentire’s Bailey. If your company network is damaged and goes offline for a few days, the cost can be significant.
“Good security can be a differentiator of a business,” Bailey says. “Companies have done what they can to drive digital transformation. Now they need to give security the same level of priority.”