Your cybersecurity plan may be doing more harm than good
Companies are spending more to prevent cyberattacks, but not getting results. Why, and what can you do better?
(page 2 of 2)
Fixing cybersecurity mistakes
Despite these sometimes misplaced efforts, Gerg says there are still fundamentals all organizations should pursue to improve the maturity of their information security program first. “It does not make sense to implement a solution that is specialized or bleeding edge if you aren’t taking care of the basics,” he notes. “Houses have a foundation, so does an information security program.”
Gerg says because of Gillware’s incident response works, he’s seen countless real-world examples of what went wrong, and how the incident started, progressed, and was discovered. Some of these compromised organizations had existing information security programs, and others had very low maturity in their information security practices, but in nearly every case the story was similar.
“Consistently, compromises occur because of an unpatched system or service, or someone doing something they shouldn’t, or a combination of the two,” says Gerg. “The old saying about the weakest link in a chain has never been more applicable. It only takes a single system or service to not be up to date, or a single person clicking on a link in an unsolicited email. Things get worse in almost every case when networks are not segregated, and traffic progresses to systems that are not necessary. It also gets worse when attackers use internal user accounts to log into more services and accounts.
“It takes longer to notice that something happened when monitoring and alerting configurations are not effective,” Gerg continues. “Recovery is more difficult when backups are not effective. These consistencies we see day in and day out set pretty clear objectives: prevent compromises from happening, keep them from spreading, and notice it if they happen as quickly as possible.”
The absolute basics, according to Gerg:
- Patching and updating ALL systems and services as soon as possible (this involves having a complete inventory of all workstations, servers, and other devices on your network).
- Two-factor authentication (for AT LEAST administrative-level users, if not everyone in the organization).
- Strong, modern anti-malware software that will notice signs of attempted attack installed on ALL systems. (Something more than just an antivirus — good anti-spam filtering, and a solution like Carbon Black, FireEye, and CrowdStrike).
Only once the absolute basics are addressed should companies consider spending money on more elaborate solutions. Know what you have, keep it updated, know that your users are actually your users, and stop known methods of attack, advises Gerg.
“The worry with building a list like the one above is that it may lead us down the path that creates the ‘whack-a-mole’ problem in the first place,” cautions Gerg. “We need to look at the big picture to accomplish our tasks of reducing complexity and cost. Is there a single solution or strategy that might accomplish not only the fundamental things in the list, but also make the IT department’s job easier and the business flourish while reducing the chances of a business interruption?”
Gerg offers the following advice, regardless of business size and complexity:
- Look for tools and services that accomplish more than one thing. Replace several of your point solutions with a mechanism that addresses multiple needs and makes IT’s job easier, or makes the business more successful.
- Select tools and services that are automated (or manual work is outsourced to a qualified provider). This will address your needs while not adding to workload.
- Do not let information security and risk management be a speed bump or bottleneck. Your information security team should have a strong, collaborative relationship with your IT team and should also be at the table with senior leadership of the organization.
- If you don’t have a qualified information security expert on staff, find a trusted third-party advisor to help you evaluate your organization and develop an appropriate strategy.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.