Cyber CEO: 5 Outdated but Common Cybersecurity Practices You Should Avoid

September 23, 2021

 The pace that enterprises experienced digital transformation over the past 18 months was lightning fast. For many teams, the priority was set on keeping the lights on and surviving, leaving their security teams grappling to catch up once the company's operations were already online. As the rate of cyber breaches like ransomware attacks skyrocket, organizations now have no choice but to face the truth -- cybersecurity is no longer an option. But I would add that it's not just cybersecurity, but updated cybersecurity. A security strategy that can truly prepare and defend your enterprise against the modern threat landscape.

The bygone ways of approaching information security simply won't cut it today. You can't expect the cybersecurity program that covered your in-office work environment to comprehensively secure your remote and hybrid workforces. Whether it's old technology or outdated attitudes, the current threats and vulnerabilities require an updated approach. Here are 5 outdated, but common cybersecurity practices your enterprise should avoid.

Seeing Cybersecurity as a Purely IT Issue

I'm a firm believer that cybersecurity is everyone's responsibility. Gone are the days where defending your enterprise and knowing how to properly respond to an incident was on your IT department's shoulders alone. We now know that every person in your organization can be both your cybersecurity program's weakest link or its strongest first line of defense. To achieve the latter, ensure everyone on your team knows to be wary of suspicious activity from potentially malicious software and how to address breaches immediately when they occur.

Set up simple, accessible policies and infrastructure across all departments that support your employees in prioritizing cybersecurity and practicing good security hygiene including:

  • Identifying and properly responding to potentially malicious activity like phishing emails that could lead to ransomware infections
  • Not using easy to decrypt passwords or the same password for multiple accounts
  • Keeping all device software updated

Taking a Reactive Approach

The worst time to decide what to do about an incident is after it occurs. When it comes to cybersecurity, time is truly of the essence. The average cost of an enterprise data breach is $3.92 million. The longer a threat actor has in your system, the more time they have to cause damage, and the more the cost of the incident increases. Planning for how your security team will address a breach will ensure you don't lose precious time deciding what to do.

Start with assessing your current program capabilities and identifying your greatest risks. Gaining visibility into your current posture will show you how to move forward:

  • Address vulnerabilities
  • Fortify areas that are most at risk
  • Implement organization-wide incident response policies

One of the best ways to prepare your team is with an Incident Response (IR) Retainer. An IR Retainer provides accelerated, expert-level support in the event of a breach. In the case of cybersecurity, the old adage "hope for the best, but prepare for the worst" absolutely applies.

Not Leveraging Post-Incident Review

If a breach has occurred, your response to the incident shouldn't stop once it's been resolved. Post-incident review is an essential step to the incident response process. Finding out how the threat actor gained access, where your vulnerabilities were, and how you can avoid this type of breach is critical to strengthening your cybersecurity program.

Knowing the right questions to ask in your post-incident review is also key. “Don’t worry about attribution,” Adam Crawford, HG’s VP, Managed Services suggests. “The WHO isn’t nearly as important as the HOW. How did they get in? Where did our defenses fail us? And what are we changing so this never happens again?”

Neglecting to Regularly Test Your Security Program

Threat actors are constantly working to outsmart cybersecurity programs. It's up to you and your team to stay one step ahead of them. The best way to do this is to regularly test your program. There are several approaches to provide indicators of coverage, control, and overall security.

Vulnerability Management

Vulnerability Management Services typically involve a network scanning program on a monthly or quarterly basis, supported by a stakeholder report summarizing the delta of prioritized vulnerabilities between scanning periods.

Red Team Operations

Red Team Operations are typically objective-oriented, with the goal of gaining access to a specific folder or set of data, pre-determined by the client organization. In order for any red team exercise to be successful, it is critical that only the key stakeholders at the client organization are aware of it. The rest of the IT and security teams must believe that the red team operation is a real adversary so that they can respond and defend their networks accordingly.

Penetration Testing

A network penetration test aims to find weaknesses in the defense capabilities before an adversary can take advantage through a combination of security expertise and best-of-breed technology. Security consultants identify exploitable flaws in the security architecture, detective controls, and preventative controls to help build strategies that effectively secure and protect the environment from malicious actors.

Prioritizing Security Tools Over User Experience

You can have the most sophisticated cybersecurity tools on the market but without buy-in from all end-users, your cybersecurity program would be useless ! Developing a cybersecurity strategy that balances risk mitigation and user experience is key. This should include:

  • Accessible cybersecurity training and education for employees at all levels of your organization
  • Tools that mitigate risk while not being a barrier for the end-user
  • Support for employees to practice good cyber hygiene including time to update software on a regular basis

Whether you're starting your cybersecurity strategy from scratch or assessing your current program, make sure to avoid these outdated approaches. No two enterprises are exactly alike, so take the time to evaluate your current security posture and particular common industry threats and vulnerabilities, and develop a program specific to both your organization's unique security needs and the current threat landscape. The time for change is now - don't wait for a breach to tell you your enterprise cybersecurity program is outdated.

To Your Success,

I’ve been in infosec for over 30 years and have had the great privilege of evolving and learning as a cybersecurity executive in a space I love. I’m the Founder & CEO of Herjavec Group, one of the world’s most innovative cybersecurity operations leaders. We pride ourselves on keeping enterprises around the world secure from the threat of cybercrime.

This blog has been set up to help me share the insights I’ve gained and experiences I’ve had with all of you…Every month I will post some advice and recommendations for my fellow Cyber CEOs – from current events to forecasted trends, and enterprise security best practices. Make sure to subscribe below and feel free to reach out here with the topics and questions you’d like to see covered!

Let’s collaborate and communicate as we strive to keep our organizations (cyber) safe.

 

Subscribe below for new issues of Cyber CEO, timely Threat Advisories, and Herjavec Group Thought Leadership 

Take the First Step
In Transforming Your Cybersecurity Program

Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.

Book a Free Consultation

Stay Informed

Follow us on Twitter
Connect with us on LinkedIn