[BreachExchange] 6 ways you are sabotaging your cyber defences

Fri Jul 20 14:49:40 EDT 2018

http://www.itsecurityguru.org/2018/07/19/6-ways-sabotaging-cyber-defences/

If we asked any of the IT departments that we deal on a daily basis about
their current priorities, they would all unfailingly say that protecting
their company against cyber attacks and data breaches is top of the list –
particularly now that GDPR is finally in force.

However, despite high awareness of the risks in terms of reputational
damage, regulatory penalties and commercial losses, it’s evident that a
surprisingly high proportion of companies – from SMEs to global
corporations – are burying their heads in the sand when it comes to shoring
up their cyber defences.

Here are 6 ways that we see companies failing to minimise their chances of
suffering an information breach.

- Neglecting security until it’s too late

This is a far more common story than you would imagine. The reason? Until
they’ve been targeted by cyber criminals, many companies still won’t
recognise the very real likelihood – and potentially devastating impact –
of a security breach. They think they can get away with not spending money
until a crisis occurs.

Firstly, if there was a system to rate the cyber security threat at an
individual company level, it would be severe – an attack is highly likely.
Nearly half of all businesses in the UK were hit by a cyber attack in the
last 12 months, with 38 new ransomware attacks being reported every day.
Secondly, as we tell clients – prepare for disaster, recover faster!

- Thinking you can prevent breaches

In the security world, preparation doesn’t mean prevention. We are all
engaged in a constant battle with ever-more sophisticated cyber criminals,
and attacks are going to happen. Your security strategy should focus on
defence but also response. Early identification and containment is
absolutely vital. Once an attacker has infiltrated a laptop or email
system, can they then roam freely around your entire network? Think of them
like physical intruders, who will try any route. You’ve designed the
building so install fire doors to slow them down!

- Not defining your business-critical data assets

Many organisations, especially those who have been hit by a breach and are
in panic mode, haven’t covered off one of the basics: defining information
assets and ranking them by priority in order to conduct a proper risk
assessment. In essence, this crucial step is about understanding what you
hold, its importance to the business and specific security risks. Only then
can you make informed decisions and put the right measures in place.

- Not testing defences appropriately

It’s well-recognised that companies should conduct an independent review of
their information security posture every 12 months. But we find that a
security testing strategy needs to be more flexible than this. A rigid
annual review can expose you to vulnerabilities if you’ve installed new
software or servers, for instance. Ideally, a pen test should be carried
out after any significant change to your IT infrastructure.

- Over-relying on tech

Security is a process, not a product – and to mitigate the risks associated
with social engineering, this is a fundamental lesson to take to heart.
Overlooking the human angle will cause even the most advanced technical
barriers to crumble. Train your staff, refresh that training, embed it into
HR procedures and regular team meetings, put policies and procedures in
place – and check that they are followed. Clients often tell us that they
have the tightest security policies known to man – yet nobody is monitoring
how well staff understand and adhere to them. Remember that the workforce
is your frontline defence.

- Resistance to change

Is the IT or senior management team open to challenging existing ways of
working, such as by bringing in external security advisors? It’s important
to be honest with yourself about the capacity and limitations of your
in-house resources. There is no room for being defensive or territorial in
IT security – in fact those attitudes could lead to very serious problems,
particularly under the GDPR which makes data protection everybody’s
business. Risk assessments and decision-making needs to be objective – and
sometimes that’s easier to hear from a third-party.

Of course, many of these fundamental processes are a requirement for ISO
27001-certified firms, but even then we find that there is often an
emphasis on box-ticking and meeting initial standards, which tend to lapse
over time. An effective information security framework needs to be
continually refreshed and honed – with a security mindset embedded into
your company’s culture at every level.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180720/47f9731c/attachment.html>