4 Bad Cyber-Security Habits
We hear about high-profile breaches almost every week in the news, but what actions are organizations taking to keep these breaches from happening? Implementing new solutions is great and new tools are always helpful, but it’s the bad habits formed by your team that can really hurt you.
Here are 4 bad cyber-security habits to break immediately:
1. Increased “Awareness” Doesn’t Mean Increased “Enforcement”
Telling someone that their password needs to be stronger is much different from enforcing a multi-factor authentication (MFA) throughout the organization. Deployment of malware detection, penetration testing for security vulnerabilities, endpoint security, security analytics network-threat detection and any other solution you implement in your network should be installed and enforced, not just suggested.
What about stolen credentials? Yes, stolen credentials are still in the top three when it comes to how bad actors get in. All identities should be managed and monitored. Privileged accounts should be even more heavily controlled and scrutinized. This isn’t just about compliance, this is about securing yourself against real risk.
Lastly, third party vendors should be held to the same standards and enforcement protocols if they are allowed to access your internal network. If anyone can get access to your data, their access, movements and activities on your network should be monitored and security regulations enforced.
2. Fear vs. Over-Confidence
Yes, there is quite a difference between living in fear of the next cyber-attack and being overconfident that your policies and processes will save you; however, both are dangerous!
While some decision makers believe that they can’t prevent bad actors from breaking into their network no matter what they do, another is unaware that a hacker has already been on their network for 12 months undetected because they have too much faith in their solutions.
These two viewpoints are fundamentally opposite but both still need to be explored. While there is no such thing as being “too prepared” for an attack, make sure that you’re putting in place processes that will help prevent attacks as well as alert and prepare you to deal with them once they happen.
3. No Strategy for the Future
With so much going on in your day-to-day life, who has time to look to the future? Cyber-attacks continue to evolve and impact government, utilities, financial services, healthcare and other industries where personal data can be exploited.
Consider last year’s Dyn DDoS attack. This one event showed the world that there is more to cyber-security than meets the eye. Now, professionals both in and out of cyber-security should be worried about expanded DDoS attacks along with even more sophisticated spear-phishing, privileged account exploitation, social engineering, ransomware and whatever else may come as this industry grows.
4. Lack of Corporate Accountability
In the beginning, I mentioned the difference in awareness and enforcement – but how do you bridge that gap? With corporate accountability. With more attacks and the increasing loss of customer data, you can expect regulations to increase for cyber-security in every industry. We’ve already seen New York State release first-in-the-nation regulations for Financial Services Cyber-Security but don’t think this will be the last.
Organizations that are known for their governance and compliance regulations will see more enforcement in the next year and an increase in retribution. You can expect more extensive auditing and an increase in fines for anyone outside of compliance.