It's easy to rest on our laurels. Prevent a few breaches – or go long enough without one – and you start to feel invincible. While our efforts are certainly laudable, we can't get too comfortable.
As defenders, we always need to be on the hunt for what we've missed and ways to do better. Here are ten common cybersecurity mistakes that crop up (and how to avoid them):
- Failing to get executive support. It's tempting to run off down the right direction before getting C-suite approval (ask for forgiveness, not permission, right?). However, that can backfire with unintended consequences down the road. If you think your executives will balk at the price of some ongoing security measures, try adding the cost of a breach into the budget package. That type of price-conditioning might make them more amenable to dishing out necessary precautions now.
- Not testing often enough. Yes, you heard it right. Testing needs to be done both early and often, and anything less (like once a year) is just devaluing your previous testing investment. Put it this way: every time you add an additional service, software, piece of code, suite, intern, executive, platform – anything – you introduce a new risk. If you could scan every day, you should. That being said, that isn't always an option for even the most conscientious companies, so testing at least quarterly is a good place to start.
- Playing a purely defensive game. We've all heard it: the best defense is a good offense. And it's true. Cybersecurity often gets a purely defensive rap, which undeservedly sells it short. Cybercriminals are constantly hitting corporations unaware, and all too often, the SOCs on the ground level haven't dealt with anything like them before. Vulnerabilities they've patched. Phishing emails they've avoided. But an APT, advanced threat or even just a real red-alert cyber intrusion can all be new ground. Get your digital and personnel nervous systems prepared for an attack by peppering them with offensive security measures like penetration testing and red teaming before day zero.
- Underestimating the human element. This is a fatal error, as you'd be discounting a serious contributor to 74% of data breaches. According to the Ponemon Cost of a Data Breach 2022 Report, the top attack vector last year was stolen or compromised credentials – apparently, a lot of us are falling for the scams and doling out sensitive information. And that's why black hats keep coming back; we're a steady, predictable source of income. To tighten those reigns, you can introduce an employee Security Awareness Training (SAT) program and practice the principle of least privilege.
- Buying the wrong tools. Know before you go investing in the latest and greatest (that nobody in your SOC knows how to use). If you're not careful, your next-gen tool can be a this-gen problem as your department is left scrambling to find someone with the cycles to train on it (and teach it to everyone else). Often, teams pressed for time will cut it in the middle, learning the bare minimum to make it run but not knowing enough to "make it sing." This undercuts much of the reason it was bought in the first place, as those additional (and often expensive) value-adds go unused. Buy the right tools. Buy tools that your SOC can use or can train on quickly. And invest in tools from a vendor that is responsive, available 24/7 and willing to manage some extra functionalities for you – just in case.
- Thinking 'compliant' means "safe". Maybe one day, but not today. As of now, compliance means "pretty close but definitely best practice," and that's a good start. However, it's not the end-all-be-all though, so organizations need to do their due diligence where security is concerned. Compliance and security need to be thought of as two separate entities with two separate purposes that sometimes touch. Identify your company's highest risk targets and take steps to protect them – whether you get the compliance kudos or not. And then – make sure you're fully compliant. You don't need an audit derailing things. Picking the right security vendor can help you do both.
- Not caring enough. This is right where the cybercriminals want you – unaware and "I don't care. This can happen all-too-easily when SOCs get overwhelmed with the 1,000-plus daily alerts they're dealing with, not to mention even trying to get ahead with proactive protective measures (or even strategy). Teams are swamped, and it's in that vulnerable state that threat actors make their move. If it's resources that are stretched, the right investment in the right place can offload some of the burden, letting you do more with less.
- 'Invincible' thinking. Small businesses can fall into this mindset a lot, thinking they have nothing of value to an outside attacker. If all attackers were after billions of dollars and state secrets, that might be true. But they're not. There are countless black hats that make a living off of "small" sums, accumulated dividends, and hawked credential lists. Any company with users and logins has what they're looking for. This same thinking can and should be applied to organizations of any size. Combat "it can't happen to me" -itis with regular risk assessments, pen tests, SAT training and red teaming to prepare your organization; because it can.
- Not watching your supply chain. As the world connects, we draw on each other's strengths and weaknesses. That's why it's so important to watch who's in your supply chain and what they're doing. Ideally, they should have the same standards of security as your organization (or better). No worse, or that's a deal-breaker. As the field is widening and it becomes easier to take partners around the globe, businesses are becoming choosey about who they want upstream from them – and why shouldn't they be? Between 2019 and 2022, the number of software packages impacted by supply chain attacks rose from 702 to 185,572. Companies should screen potential partners and ensure their supplier contracts require vendors to institute regular security testing and take measures to protect sensitive data.
- Dropping the ball on physical security. It may not have been an issue ten years ago, but it is today. Physical security should be top of mind (or at least in mind) for security executives looking to defend from all angles. The server room needs to be protected. An "anybody" could connect to the network by plugging into a network jack. A badge could be faked by a social engineer or a USB "dropped" in the parking lot. These are still risks. They will always be. Sometimes we're stuck peering so far above our heads that we miss what's at our feet; cybercriminals will use any means necessary to obtain their objective. If it's least expected, that's where they want to be. Require multiple forms of ID upon building entry, put old-fashioned (or new-fashioned) locks on the server room, and stay wary with a social engineering pen test to keep employees on their toes.
Defend against cybersecurity threats by staying smarter than the competition. In this case, that's both other entities and the cybercriminals themselves. As the Verizon 2023 DBIR states, seventy-four percent of data breaches occur because we're not being wary, and that's a number that doesn't have to be. Whether it's being "too tough to hack" or simply tougher than the other guy, keeping an eye out for these ten common cybersecurity blunders might make you safer faster than any single solution alone. If you're interested in more advice on this topic, we also prepared a short guide for you!
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.