Effective cybersecurity is becoming a tougher problem as organizations embrace more types of devices and hardware. Protecting organizations requires more than tools, which companies tend to learn the hard way. Granted, as the technology stack changes, new cybersecurity tools become necessary. However, the problem has become so complex that no organization can afford all the tools, all the people, and all of the other resources it would need to protect itself against everything.
"You need to take a risk-based approach to security," said Garrett Bekker, principal analyst, Information Security at 451 Research. "You have to figure out what is an acceptable level of risk, which is easier said than done."
Different organizations and security experts prioritize risks differently, but the goal is to narrow the problem down into something that's manageable and effective while expanding awareness and responsibility.
Start by understanding the ways companies impede their security efforts so you can eliminate these unproductive practices in your own organization.
1. They deny they're a target
Denial is the poorest form of security. Some organizations think they're too insignificant to become a target in the first place so they don't worry about security.
"If you believe you're not at risk, then you're not taking [cybersecurity] seriously enough,"said Alan Brill, a senior managing director in the Cyber Risk practice at corporate investigations and risk consulting firm at Kroll. "I see cases coming in every day of organizations that have been compromised. When you drill down, part of the problem was an assumption of, 'Who would want to target us?' The bad guys."
2. They're unaware of their assets
Organizations suffer from many blind spots that enable exploitation. Because they're unaware of all of their IT and data assets, there's no way to assess all the vulnerabilities.
"Companies don't know where their data is and what the sensitivity level is, and that's become a huge problem with some of the data privacy laws. Cloud and mobility have made that a bigger problem," said 451 Research's Bekker. "If you talk to some of the cloud security vendors, it's not uncommon for enterprises to have upwards of a thousand cloud applications running across their network they don't even know about. What I hear quite frequently is companies will do a scan and find out they have thousands of databases they didn't even know about."
3. Cybersecurity is viewed as a technology problem
Cyberattacks are software attacks. On the other hand, why break into an organization when one can walk through the front door with someone else's credentials?
"It's not just a technology problem, it's an operational problem, it's a cultural problem," said 451 Research's Bekker. "One of the biggest threats to enterprises is their users being tricked into giving up their passwords over the phone or through phishing email. At the end of the day, it doesn't matter how big your firewall is. There's a social/cultural/behavioral element to it. Employees are arguably the weakest link internally."
4. Cybersecurity functions as an island
While the CISO is arguably the person responsible should a breach occur, cybersecurity is a cross-functional issue that affects other parts of the organization. For example, in the case of shadow IT, the CISO may be unaware of the asset and therefore can't assess the potential risk. Meanwhile, the user has accepted the service's terms and conditions, likely without reading them, which could violate the company's policies, as well as laws and regulations.
"It really has moved from being a technology issue to being a corporate, legal, and compliance issue that has to be tackled as an organizational problem," said Kroll's Brill. "[You should also include] HR because they get involved in personnel training. Some of our clients have taken it to the point where they've added questions about cybersecurity to performance reviews."
5. They don't understand the scope of their risks
Business at the speed of light typically means that in-house personnel lacks the time they would need to do a risk assessment. Since they can't do a risk assessment, they may be making educated guesses about vulnerabilities and how serious those vulnerabilities are.
"One my personal pet peeves is that the perception of an audit versus an assessment. An audit is a checkbox exercise, which is part of a broader assessment," said Chris Duvall, senior director at global advisory services firm The Chertoff Group. "In an assessment, you stand in the shoes [of] your adversary and ask what do they have, how can I turn it into money/power/destruction -- whatever the purpose is -- and what is the means by which I can get that."
6. They don't know what to address first
Risk management approaches differ. Kroll's Brill said one way to look at the problem is to decide which risks are within one's control and which aren't. For example, if employees are careless about passwords, require two-factor authentication. If in-house resource constraints are an issue, outsourcing may be wise.
"We recommend looking at the foundational aspects first and then expand it," said The Chertoff Group's Duvall. "It's cyber hygiene, looking at your password policies, account lockout, account inventory, asset inventory, having control over the identity and access management. Segmentation and whitelisting are [also] important."
7. They're not testing
Perimeter-based security isn't enough anymore. Organizations need to realize that their perimeters will be breached and take appropriate action. In addition, some companies endeavor to find out how they could be breached.
"Testing is the best way to see if your security controls are working," said The Chertoff's Group's Duvall. "Do you have pen teams, red teams or exercises? It may be outside [your] budget or scope, but do you have a person or two on your security team who be an internal red team or do pen tests? The organizations that we've come across, even with limited resources, find that useful."
8. They lack an effective security strategy
Most organizations find themselves in reactive mode when it comes to cybersecurity so the execution may be tactical without the benefit of an overarching strategy.
"You need to develop a strategy, identify your most important missions, and then identify people, processes and technology to address the most important issues," said Jonathan Reiber, head of Cybersecurity at data center and cloud computing security company Illumio. "Prioritization is one of the most important parts a security journey that an organization can go through. You have to be able to implement security in the best way you can around the assets that matter most to you as quickly as you can."