[BreachExchange] Why Cyber Attacks Will Continue until Prevention Becomes a Priority

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 8 19:09:52 EDT 2017


Some learn best through observation, others only after making a costly
mistake. Unfortunately, many businesses have failed to heed the
cybersecurity lessons learned from the litany of major attacks over the
past few years.

Modern cybersecurity threats have evolved far beyond the days where
keyloggers and suspicious emails were considered sophisticated threats.
They've grown to incorporate new attack vectors such as connected devices,
as used in the 2016 Dyn distributed denial-of-service attack that disrupted
many popular websites. Businesses must also contend with leaked exploits
discovered by government intelligence agencies, such as the Vault 7
Wikileaks revelations around security flaws in virtually every major
operating system and application.

It's time for organizations to rethink their approach to security. Keeping
your organization safe must be a full-time commitment, not simply a passing
concern following the latest report of a data breach.

Cut Ties with Outdated Tech
Cybersecurity is often described as an arms race between security
professionals and skilled attackers, as both parties rush to gain the upper
hand. While even cutting-edge defenses are inevitably thwarted by
determined attackers, cybersecurity professionals are able to quickly react
and nullify attacks.

But many businesses don't keep tabs on the front lines of cybersecurity
development, leaving them several generations behind with regard to best
practices and current threats. For example, while multifactor
authentication has been recommended for more than a decade, many
organizations are only now adopting the technology across their
applications and platforms.

Making matters worse, many organizations fail to follow best practices for
maintaining and protecting their current environments, creating countless
avenues of attack for even inexperienced attackers. More than 9% of devices
are still running Windows XP, three years after Microsoft discontinued
support, giving malicious actors ample time to attack millions of
vulnerable yet critical systems.

Business leaders need to listen to their IT departments and devote more
time and resources to security best practices such as regular updates,
security audits, and penetration testing, resisting the urge to focus
solely on revenue-driving activities at the expense of loss prevention.

Invest in Security Training & Skills
Most organizations understand the importance of regular security training
for employees, but IT professionals within the company are often
overlooked. While your resident system administrator or network engineer
are unlikely to fall for a phishing attempt, what about the rest of your
employees? A single oversight is all it takes to undermine many other
precautions. Regular, top-to-bottom training is crucial for any
organization that wants to avoid becoming the victim of the next major

Overcoming Security Apathy
Many businesses suffer from the delusion that they are immune to
cybersecurity threats until it's too late. Whether relying on security
through obscurity or simply disregarding consistent warnings as hyperbolic
nonsense, organizations have shown that they're willing to risk massive
losses and reputation damage rather than overhaul their approach to
security. Although some organizations have taken note, many will have to
learn the hard way; attacks will escalate until businesses understand the
costs of neglecting security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170508/cd090b53/attachment.html>

More information about the BreachExchange mailing list