June 11, 2019 by Siobhan Climer
Enormous data breaches and cybersecurity incidents rock the news cycle practically every week. From the dramatic 2017 Equifax data breach to the March 2019 Facebook unsecured database of 600 million users, even the biggest companies make mistakes.
The same is true of organizations of every size in every industry. Cybercrime attacks are rising, targeting lucrative data banks of personally identifiable information (PII), something almost every company has.
While cyber attacks may seem like they come from left field, it’s important to recognize the commonalities. According to the 2019 Verizon Data Breach Investigations Report, 71% of attacks are financially motivated, and 69% are perpetuated by outsiders.
Attackers don’t reinvent the wheel for every attack they perpetuate. The methods by which data is breached, triggering a significant security incident, are often similar – if not the same – across the world. Understanding these most common cybersecurity mistakes helps the business prepare for prevalent risks.
Avoid Most Common Cybersecurity Mistakes
By avoiding the most common cybersecurity mistakes – and thereby deterring most attackers – businesses can implement improved security measures and protect their organization.
1. Underestimating Hackers
More than half of all breaches feature hacking. Hackers use a variety of tactics, including phishing, open source intelligence, and social engineering. By stealing authorizing credentials – either through brute force or sometimes just asking nicely – hackers infiltrate the network and move about unnoticed. In fact, more than half of all breaches take months to discover.
For many SMBs and mid-market organizations, an unfortunate myth has arisen: hackers do not target small businesses because they have little to gain.
THIS IS A MYTH.
SMBs and midmarket organizations are at high-risk. Hackers know these organizations are unable to invest in every security solution and may have a soft or only partially resilient cybersecurity strategy.
Simply, smaller organizations are more likely to have gaps in their security posture. And that’s what hackers are looking for – easy access points wherein they can enter a network and wander leisurely until they find valuable data.
2. Ignoring The Insider Threat
While outside forces are more likely to attack the network, another, closer threat also exists: the internal user. Whether a malicious insider or a negligent user, 90% of organizations believe they are at risk of an insider attack, according to the 2018 Cybersecurity Insiders Insider Threat Report.
The reasons for the risks are various: 37% of respondents note excessive user privileges, 36% note IoT and BYOD, and 35% simply chock it up to the complexity of technology today.
By focusing only on the perimeter, companies ignore a very real threat. The most common cybersecurity mistakes include disregarding the internal user.
3. Disregarding Security Awareness Training
While some “insider attacks” are due to malicious insiders and disgruntled employees, many are simply due to human error. By clicking on a phishing email, engaging in shadow IT, or improperly storing data, internal users open the business to increased risk.
Security Awareness Training is, truthfully, not enough in and of itself. In fact, even after directed training, 25% of internal users still fall for phishing scams or improperly share and store data.
Yet, that is 75% less than what would happen without security awareness training. Developing a security posture is all about building up layers of deterrence, and security awareness training is a vital layer in that posture. The most common cybersecurity mistakes are often basic, and security training is at the top of the basics list.
4. Failing To Enact A Data-Centric Security Strategy
That is precisely why it is so important to enact a zero-trust model of security and focus on data. Some security evangelists even argue there is no network perimeter anymore, and certainly the influx of BYOD policies and IoT device networks supports this notion.
The other issue is the sheer amount of data. Big data is a problem for a reason. With so much data coming in – and so much of it holding value to the business – companies simply can’t manage all of it. More data means more opportunities for that data to be stolen.
In every old prohibition-era movie, there is some invaluable leather-bound ledger (or two – hey, cooking the books happened) locked up in some safe. Those ledgers are now distributed in every department and hold much more than names and numbers.
Companies today often make the mistake of trying to protect *all* data, and that isn’t feasible. The key is to properly identify which data is most at risk – and the most risk to you – and then secure it as such. Failing to enact a data-centric strategy is one of the most common cybersecurity mistakes companies make.
5. Over-Confidence And Threat Relegation
According to Mindsight Senior Security Solutions Architect Mishaal Khan, there are two common misconceptions:
1) Businesses think they are secure;
2) Business don’t care if they are secure.
A lot of people think that because they have a firewall or had phishing trainings, they are secure. No, you’re not. Even I cannot help you be absolutely secure. I can get you where you want to be and target your top ten threats, but never say you’re secure. I’m not secure. I’m exposed as well, and I do this for a living. Nobody’s immune.
The second misconception is a failure to recognize the threat. Businesses believe that security doesn’t matter, and they have nothing to lose. Again, Khan:
It’s the data you can lose. It’s your reputation you can lose. And all of that amounts to money. Your business can be shut down because you got hacked and no one wants to do business with you. Nothing got lost on the way, but your reputation got lost. Is that not worth anything to you?
Protecting Yourself From The Most Common Cybersecurity Mistakes
By understanding the threat to your business, and by taking action to secure yourself against these common threats, companies can make a real dent in their risk profile.
Working with experts is key to protecting your business. In all likelihood, threat actors are examining your infrastructure right now, looking for gaps and opportunities.
Mindsight’s experts include certified ethical hackers and cybersecurity experts who understand the way attackers think and act. Schedule a time to talk with our security team today.
Like what you read?
Contact us today to discuss your cybersecurity posture.
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Author
Siobhan Climer, Science and Technology Writer for Mindsight, writes about technology trends in education, healthcare, and business. She previously taught STEM programs in elementary classrooms and museums, and writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. When she’s not writing tech, she’s writing fantasy, gardening, and exploring the world with her twin two-year old daughters. Find her on twitter @techtalksio.
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.