5 Most Common Cybersecurity Mistakes Companies Make
June 11, 2019 by Siobhan Climer
Enormous data breaches and cybersecurity incidents rock the news cycle practically every week. From the dramatic 2017 Equifax data breach to the March 2019 Facebook unsecured database of 600 million users, even the biggest companies make mistakes.
The same is true of organizations of every size in every industry. Cybercrime attacks are rising, targeting lucrative data banks of personally identifiable information (PII), something almost every company has.
While cyber attacks may seem like they come from left field, it’s important to recognize the commonalities. According to the 2019 Verizon Data Breach Investigations Report, 71% of attacks are financially motivated, and 69% are perpetuated by outsiders.
Attackers don’t reinvent the wheel for every attack they perpetuate. The methods by which data is breached, triggering a significant security incident, are often similar – if not the same – across the world. Understanding these most common cybersecurity mistakes helps the business prepare for prevalent risks.
Avoid Most Common Cybersecurity Mistakes
By avoiding the most common cybersecurity mistakes – and thereby deterring most attackers – businesses can implement improved security measures and protect their organization.
1. Underestimating Hackers
More than half of all breaches feature hacking. Hackers use a variety of tactics, including phishing, open source intelligence, and social engineering. By stealing authorizing credentials – either through brute force or sometimes just asking nicely – hackers infiltrate the network and move about unnoticed. In fact, more than half of all breaches take months to discover.
For many SMBs and mid-market organizations, an unfortunate myth has arisen: hackers do not target small businesses because they have little to gain.
THIS IS A MYTH.
SMBs and midmarket organizations are at high-risk. Hackers know these organizations are unable to invest in every security solution and may have a soft or only partially resilient cybersecurity strategy.
Simply, smaller organizations are more likely to have gaps in their security posture. And that’s what hackers are looking for – easy access points wherein they can enter a network and wander leisurely until they find valuable data.
2. Ignoring The Insider Threat
While outside forces are more likely to attack the network, another, closer threat also exists: the internal user. Whether a malicious insider or a negligent user, 90% of organizations believe they are at risk of an insider attack, according to the 2018 Cybersecurity Insiders Insider Threat Report.
The reasons for the risks are various: 37% of respondents note excessive user privileges, 36% note IoT and BYOD, and 35% simply chock it up to the complexity of technology today.
By focusing only on the perimeter, companies ignore a very real threat. The most common cybersecurity mistakes include disregarding the internal user.
3. Disregarding Security Awareness Training
While some “insider attacks” are due to malicious insiders and disgruntled employees, many are simply due to human error. By clicking on a phishing email, engaging in shadow IT, or improperly storing data, internal users open the business to increased risk.
Security Awareness Training is, truthfully, not enough in and of itself. In fact, even after directed training, 25% of internal users still fall for phishing scams or improperly share and store data.
Yet, that is 75% less than what would happen without security awareness training. Developing a security posture is all about building up layers of deterrence, and security awareness training is a vital layer in that posture. The most common cybersecurity mistakes are often basic, and security training is at the top of the basics list.
4. Failing To Enact A Data-Centric Security Strategy
That is precisely why it is so important to enact a zero-trust model of security and focus on data. Some security evangelists even argue there is no network perimeter anymore, and certainly the influx of BYOD policies and IoT device networks supports this notion.
The other issue is the sheer amount of data. Big data is a problem for a reason. With so much data coming in – and so much of it holding value to the business – companies simply can’t manage all of it. More data means more opportunities for that data to be stolen.
In every old prohibition-era movie, there is some invaluable leather-bound ledger (or two – hey, cooking the books happened) locked up in some safe. Those ledgers are now distributed in every department and hold much more than names and numbers.
Companies today often make the mistake of trying to protect *all* data, and that isn’t feasible. The key is to properly identify which data is most at risk – and the most risk to you – and then secure it as such. Failing to enact a data-centric strategy is one of the most common cybersecurity mistakes companies make.
5. Over-Confidence And Threat Relegation
According to Mindsight Senior Security Solutions Architect Mishaal Khan, there are two common misconceptions:
1) Businesses think they are secure;
2) Business don’t care if they are secure.
The first is over-confidence. Companies often think that because they’ve taken an action to develop their security posture, they’re secure. Here’s what Khan has to say about over-confidence:
A lot of people think that because they have a firewall or had phishing trainings, they are secure. No, you’re not. Even I cannot help you be absolutely secure. I can get you where you want to be and target your top ten threats, but never say you’re secure. I’m not secure. I’m exposed as well, and I do this for a living. Nobody’s immune.
The second misconception is a failure to recognize the threat. Businesses believe that security doesn’t matter, and they have nothing to lose. Again, Khan:
It’s the data you can lose. It’s your reputation you can lose. And all of that amounts to money. Your business can be shut down because you got hacked and no one wants to do business with you. Nothing got lost on the way, but your reputation got lost. Is that not worth anything to you?