Anyone working in an industry undergoing rapid change, as cybersecurity is, must understand that the attack surface is constantly in motion. Stubborn or complacent adherence to a process that worked in the past, even just two years ago, is a sure-fire way to leave your organization vulnerable to a cyber criminal. We’ve pulled together three myths that we regularly hear when meeting with prospective customers. Review our list and ask yourself if your strategy is based on outdated or incorrect assumptions.
Myth 1: We have a patching program in place on our high-value systems which ensures they are protected.
Good – a patching program is certainly important. But what happens if your lesser systems (endpoint, POS, etc.) have vulnerabilities that are targeted by the hacker community? Someone hacks into your system using that exploit, disguises themselves as a normal user, and works his way to the high-value system – and authenticates normally? Now your high-value system has been compromised because of a previously unidentified risk to a system that wasn’t on your priority list.
While risk-based approaches are useful – it always makes sense to implement patching for critical and/or high-value systems – it’s at least as important, if not more so, to implement a threat-based patching program. The number of vulnerabilities identified each year makes timely patching almost impossible. Prioritizing patching based on real-world hacker threat is a proven strategy that thwarts cyber attacks.
Myth 2: The largest threat to our organization is external so that’s where we’ve focused our efforts.
Unfortunately, this isn’t the case. In a recent report from IBM Security, 60% of all attacks were carried out by insiders. Even if your insiders are not being deliberately malicious, simple unintended negligence can be devastating. Consider that the hackers who executed the Equifax breach were able to significantly extend the breach because they were able to locate an unencrypted file with a list of usernames and passwords for more Equifax systems. And if you think you’re doing better than Equifax, you might want to check in with your in-house developers. After Equifax was excoriated in the news for failing to fix the Apache Struts vuln that led to their epic breach, there was little change in the number of the same exact flawed Apache Struts components being downloaded (and presumably used) by a myriad of organizations over the following six months!
Helpful employees will share passwords, devices are stolen, passwords are leaked…the options are really only limited by the imagination of the hacker that targets your organization and the inadvertent missteps by your employees.
Consider instituting data protection programs, limiting access to sensitive data, improving your employee screening and analyzing user behavior for anomalies to patterns as a few methods for limiting this type of threat.
Myth 3: Cybersecurity is for defensive purposes only.
It’s easy to understand this thought process – we’ve retreated to our fortress and have built the walls tall and thick. No cyber criminal will get past our defenses (we hope).
There have been a few articles in recent years that express the concept of cybersecurity as a business enabler. Consider the position of a company considering international expansion. A strong security presence becomes an advantage, not a weakness, that enables the company to expand efficiently into new markets with a reduced risk profile.
Consider further a report from Vodafone that surveyed 1,434 businesses in 8 countries. Specific benefits attributed to a strong cyber security program include greater agility and efficiency, expansion of new business opportunities where the prospect required higher levels of vendor security, and the opportunity to launch new services and products within a more secure environment.
While we may not be ready to label cybersecurity as a profit center, it’s clear that well-strategized and executed cybersecurity programs add value to the organizations they support.
Few areas of business are more exciting than cybersecurity – the rapid rate of change and the continual evolution of the technology and tools we use every day make protecting our companies and ourselves from threat actors who wish to do harm a top priority. I hope you found this brief post helpful as we move further into the new year.
CYR3CON™ uses artificial intelligence to model, quantify, and predict attacks by malicious hackers. CYR3CON’s flagship product, CYR3CON Priority, has allowed several Fortune 500 companies to avoid cyber attacks before they appear in the wild by predicting which software vulnerabilities hackers will exploit in the future.