10 Typical Cyber Security Issues Your Company is (Hopefully Not) Facing
We tell ourselves that we’re prepared. We tell ourselves that they aren’t us. We believe deep down that it won’t happen to us, anyhow. Why would it, after all? We have the best cyber security solutions and team possible.
That is, until it does.
We’re talking of course, not about traffic accidents, home burglaries, or other day-to-day mishaps, but about cyber-attacks – especially those of the catastrophic variety.
While it is human nature to hunker down and hope for the best, security professionals know that self-examination is the real key to guarding the keys to the castle. The axiom “know thyself,” it turns out, is important to individuals and organizational networks alike.
In this spirit, we’ve compiled a list of ten ways we (as humans playing a role in organizations at risk) may be deluding ourselves about the likelihood of a cyber-attack affecting us and have written 10 typical cyber security issues:
According to a 2013 report from data security provider Symantec, 31% of targeted cyber attacks in 2012 were leveled against businesses with fewer than 250 employees. The report further points out that this represents a massive jump from 18% in the previous year. Cyber criminals are targeting small businesses in increasing numbers. And yet Symantec has also found that an incredible two-thirds of small and medium-sized businesses do not worry about cyber attacks. Perhaps hackers are reading these reports as well…
2. We are compliant. Therefore, we are as secure as we could possibly be.
Uh… So were Target, Home Depot and JP Morgan. Need we say more?
3. We already defined our own rules to alert us on abnormal behavior
Proper profiling of your network not only requires expertise, but it is also an ongoing task that must be done continuously. Setting up thresholds or custom rules on traditional monitoring tools to be used to detect abnormal behaviour, may work temporarily but any change in the network normal behavior will require re-defining those thresholds and rules. While security analysts are extremely capable and knowledgeable about their network, translating this knowledge into a well defined policy of current monitoring solutions is a very long and complicated task, and when this is not constantly updated, it quickly becomes irrelevant causing the systems to generate too many alerts in addition to numerous false-positives.
4. We monitor, therefore we are secure.
Ongoing monitoring is an important aspect of your cybersecurity efforts, but security cannot rely on monitoring alone once compliance has been achieved. Mature security policies are highly-proactive – constantly assessing risk, examining the short and long-term threat landscape, improving layered defenses, and working to shape organizational security awareness and culture.
5. Our employees understand the basic security risks of connecting to public Wi-Fi.
We’ve come to expect a wireless signal wherever we are. Many people don’t think twice about hopping onto a random (and unprotected) wireless network just to get some work done. But a quick email is no excuse. That’s all it takes for someone with ill intent to intercept data and steal sensitive information.
6. I have a firewall, IPS, sandbox and antivirus. Therefore, my network is protected.
It’s a fact: intrusion prevention solutions cannot provide 100% protection. A persistent, highly-determined and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional prevention solutions like firewalls, sandboxes, and antivirus can’t help. Once they’ve bypassed these solutions, attackers are free to operate in your network unobstructed.
7. Our employees love working at our company and would never do anything to compromise our network.
Security professionals are cynical by nature. But let’s remove our sheriff hats for a moment, and pretend that all company employees are 100% trustworthy, and never vengeful or malicious even if they’re being, for example, downsized.
So they won’t purposefully hurt your company. Got it. So, let’s talk passwords.
From operating system logins and file encryption to web accounts and beyond, weak passwords are arguably the most common, most easily-exploitable security flaws. If your users are using their birthdays for passwords, they might as well be holding the door open for attackers. And this is just one example.
8. We don’t need to worry about the security of cloud services from highly-reputable companies like iCloud, Salesforce, Amazon, DropBox, etc…
Well the celebrities who uploaded their personal photos to iCloud will now definitely tell you that this is definitely not the case.
9. We use Macintosh, so we don’t need to worry about being hacked.
It is true that there are fewer malwares targeting Mac operating systems compared to Windows but that certainly doesn’t make the Mac secure. There are estimates that 700,000 Mac OS X users suffered from the Flashback Trojan virus. The reason being that Mac users didn’t think they needed to install antivirus programs. An even more recent event involving Reddit has shown that Macs are definitely not resilient to cyber attacks.
10. We need to concentrate our efforts on recruiting the best cyber security professionals we can afford.
It’s true that cyber security should be an organizational mindset and you need a top-class security team. That said, the team you have at the moment could easily get the ball rolling. Many steps are simply common sense, and there may not be a need to bring a high-paid security superstar on board urgently.
It is the dream of every CISO is that he can expand his team and have someone that understands every single feature of his existing security solutions.
Even if this was possible these security professionals cannot possibly keep up with their day-to-day tasks and also keep up with new threats and technologies.
So whether or not you’re hiring new experts – make life simpler for your existing team by adopting tools that minimize the runaround associated with day-to-day security and tasks. Teams occupied with thousands of false positives are less likely to identify actual attacks. Find the right breach detection solution (like LightCyber Magna) that frees up, not ties up, your existing and future valuable security resources. Make sure that your company isn’t facing any of these typical cyber security issues.