Being responsible for the cyber security of your organization is an important role, cyber security mistakes allow a clear pathway for cyber security threats to enter your network, applications, and/or mailboxs. Very seldom do organizations have the proper resources and training in place to allow these employees to excel in their role. When security is not being breached, the role becomes unnoticed — unless of course your being asked to do an unrelated IT task from a co-worker. This is not anyone’s fault, but the problem needs to be addressed and these critical security roles cannot remain ill-equipped, but what about the costs? If you do not have the budget to hire a full-time security team then allow a cyber security consulting company to provide the resources at a better cost.
With the onslaught of virtualization, mobile computing, and cloud technologies the roles of security practitioners in the workplace have not subsided but actually become more complicated. For example, many key business decisions are made outside of the actual IT department, so being proactive in determining reasonable, cost-effective security practices have become the norm for today’s security professionals.
Regardless of the situation, we can all agree that cybersecurity plays an important part in every company. With the demonstrated risk posed by cyber attackers and the daily occurrences of security breaches, I wanted to share with you five of the most common mistakes made by security professionals through the list of statements below.
Top 5 Most Common Cyber Security Mistakes:
1) “Were not in the business of IT security.” – I once read that McDonald’s was not in the hamburger business, but real estate business. This makes complete sense given the number of locations the “golden arches” seem to be present. I bring this up because all too often employees confuse their day-to-day roles/responsibilities with their initial job description. Unfortunately, working in the accounting department does not excuse you from maintaining situational awareness, abiding by the corporate password policy, or observing information sensitivity. Educating our user community is one very important aspect of cybersecurity and is often overlooked in favor of more “pressing” business matters.fortunate or unfortunate, the great power that this technology brings to any business comes with responsibilities for security.
If only the Surgeon General of the United States added a warning on the side of every technology box stating, “Warning: this box could be harmful to your company’s health and reputation. Use technology in moderation and manage your consumption through solid security practices. This product may increase the potential for a breach, poor reputation and possibly a financial loss.” Think of your new technology as a “superpower”, which is extremely powerful and even dangerous if not used properly. A quote from Spiderman’s Uncle Ben comes to my mind with this reference, “with great power comes great responsibility”, always remember this when adding new technology to your existing environment.
2) “We always have someone available on Patch Tuesday in our organization.” – This could easily be number one on my list. This seems to be the response of many organizations managing security operations. The auditor comes in and is directed to the department responsible for patching and everything is good, correct? Not really, this is another one of the common cyber security mistakes I hear today. For the most part, I have found that when a company explains that their patching is under control or they patch all critical risks, they typically mean from an Operating System (OS) perspective. How about your applications? I have found that many organizations avoid patching certain applications for fear of compatibility problems. Also, I hear confidence in the fact that critical patches are applied and everything else is an acceptable risk. Plus explanations that some enterprise management tools only work well for patching core technology and the rest is a manual process for later or ignored because they are difficult to address.
Application-centered attacks easily exceed that of the OS version and not being on top of the application patching in your environment could lead to significant opportunities for breaches. After hearing these statements, the questions that should be asked are how is configuration management, asset management, assessment, patch-testing and prioritization of patches handled prior to patching. Along with how to patch verification is handled and data metrics tracked afterward to determine whether the objectives of patch management are being met rather than just feeling comfortable someone is on staff on patch Tuesday.
3) “Call our security team and get their thoughts on this …” – One of the things often overlooked in the world of cybersecurity is the development of a “security-first” mindset. While many organizations will rely heavily on the security-department to set policy, improve security awareness, manage defense, harden systems, apply patches, and set permissions, the fact is that establishing an effective cybersecurity program means security professionals should be involved in the day-to-day evolution of business operations as an integrated team. Too many times we find companies that have partitioned off their security employees to a remote place and only bring them in on the tail-end of a project to seek security guidance. No to mention many fail to include a security conduit in the leadership of the organization with the authority to impact operational decisions.
4) “We just don’t have that in our current budget.” – From my experience, I have seen many companies practice foolish forecasting and spending practices as it pertains to the management of security risks. The majority of the time, organizations spend budget dollars on solving past problems and don’t focus their attention on prioritizing risk mitigations. This is a common mistake in security leaving excuses for not tackling sometimes significant risks due to budget challenges. Being successful at cybersecurity goes well beyond fixing yesterday’s problems. Any effort has to be a sustained approaching reflecting tackling both past, present, and future risks based on each organization’s unique business scenario. There should be a comprehensive approach from start to finish for evaluating risk with strategic budgeting for priorities. Along with sufficient resources in financial dollars and expertise set aside for emergency resolution of risks or new requirements after budget forecasting. Essentially in #4, we are communicating the issue has no priority or low priority or emerged unexpectedly. Having a reserve set-aside for emergencies may help deal with the excuses created by not having a budget for dealing with pressing security needs.
5) “We monitor, therefore we are secure!” – While most often driven by a particular compliance requirement, our security cannot be left for monitoring alone once the compliance has been achieved. Certainly, monitoring is an important aspect of the cybersecurity core practices, but as important is the ability to assess risk and determine the short and long-term threat landscape. However, relying on monitoring alone to react to threats without improving layered defenses and prioritized management of risk along with forecasting and budgeting for an acceptable level of risk is potentially an indicator of security programs lacking maturity.
As today’s threats become more complex, the need to keep our users awareness elevated has become an ever-increasing part of cybersecurity. This is no way depicts all of the mistakes to avoid with implementing a strong cybersecurity program, but making you aware of these statements may assist in uncovering other common pitfalls. The battle against IT threats is constant and evolving, once we understand that being proactive in our evaluation of risk, budget forecasting, management of defenses and governance of security programs, the better prepared we will be to prepare the offensive.