Sam Makad is a business consultant. He helps small & medium enterprises to grow their businesses and overall ROI. You can follow Sam on Twitter, Facebook, and Linkedin.
In this article, we have mentioned some of the biggest cyber threats neglected by organizations in building or fortifying their security.
Think you know cybersecurity well enough? You might be surprised to learn that there are a few crucial things you are missing. A survey a few years ago revealed that Americans have a tendency to be overconfident with their cybersecurity knowledge. Respondents think they already know enough or their knowledge is already comparable to those of experts.
Fast-forward to now, and the perception polls appear to still show a similar situation. Research firm KPMG LLP's 2021 Cybersecurity Poll, for example, shows that 59 percent of organizations are "somewhat confident" in their cybersecurity while some 39 percent say they are "very confident."
When it comes to cybersecurity, too much confidence is certainly a disadvantage. It results in organizations ignoring important factors that could be major vulnerabilities. It prevents a more meticulous review of security controls with some even ditching security validation altogether. The following are some of the biggest factors neglected by organizations in building or fortifying their security.
A study by SANS Institute reveals that 63 percent of organizations believe that robust security testing helps prevent cyberattacks, but only 39 percent have undertaken such testing. Security validation is a crucial component of an organization’s security posture. Even with all the top-of-the-line security solutions in place, there is no guarantee that they will deliver the kind of protection they promise if they are not tested. It is unfortunate that many still skip the testing part as they secure their organizations from various cyber threats.
No cybersecurity system can ever be perfect, but security testing helps significantly reduce weaknesses or vulnerabilities brought about by various reasons, including misconfigurations and failure to do software updates. It is important to implement security validation strategies such as automated breach and attack simulation to examine the efficacy of installed security controls.
Automated and AI-driven defenses have the tendency to make organizations too confident in their protection. The idea of having automatic security controls enhanced by artificial intelligence makes organizations presume that the controls only have to be installed and set up, and nothing else needs to be done. It is true that cybersecurity has improved considerably over the years, but this is not reason enough to forego security validation.
One of the greatest improvements in cybersecurity is the collaboration among security experts and organizations, which resulted in the establishment of the MITRE ATT&CK framework and other similar collaborative efforts to tackle the problem of cyber threats. These are used in security validation, and it would be a big waste not to take advantage of them.
In the modern work setup, BYOD (Bring Your Own Device) and work-from-home arrangements have become commonplace. This has resulted in the institution of systems to secure devices that are accessing an organization’s network. However, it is a bit baffling why many organizations do not pay attention to the security risks that come with mobile devices that are allowed to access a company’s network.
Many organizations allow employees to use their Wi-Fi internet as if it is an extension of their employees’ home connection. Rarely are there security measures put in place. Organizations that conduct cybersecurity briefings may not even cover the risks associated with the use of mobile devices in the company network.
The University of Alabama at Birmingham published an insightful article about the corporate security risks posed by mobile devices. Here are the highlights:
- Mobile devices can be sources of malware that can affect the devices and cloud assets of an organization.
- Mobile devices can be used as a physical access attack vector. They can also be exploited by bad actors with the installation of dubious apps and unsafe file downloads. Unprotected corporate communications (chat and email) and unencrypted company files in mobile devices also add to the risks.
- Insider attackers can do a lot of damage to an organization when mobile devices are not regulated.
- To address this problem, it is important to provide adequate cybersecurity training to everyone in an organization and undertake mobile device security audits. It is also advisable to have secured containers for mobile devices and to enable security features within mobile devices.
Old, rarely used, and lost/stolen hardware
Another major cyber threat many organizations tend to ignore involves their handling of devices that are old/obsolete, rarely used, and those that cannot be physically located. Many companies continue to have devices connected to their networks, even if these are rarely or no longer used. Also, many do not evaluate the devices that are connected to their networks. This is particularly true with the prevalence of numerous mobile and IoT devices, which make it very challenging to keep track of and secure everything.
Old or obsolete devices are a risk because they are usually no longer being updated. They do not get security patches for the latest threats or vulnerabilities that have been newly discovered. Rarely used devices similarly present the risk of lacking adequate security because they are not being monitored. They may already be compromised and are being used to spread malware or take advantage of forgotten network access privileges. The risk is similar or even worse when it comes to lost or stolen devices. They can be used to spread ransomware, spyware, viruses, and other malicious software that result in the loss or theft of data.
Not many organizations worry when someone’s BYOD, CYOD (Choose Your Own Device), or COPE (Company-Owned, Personally Enabled) device goes missing or is stolen. The cybersecurity implications tend to be last on the list of worries about employees or supervisors when they hear of lost or stolen devices.
An unsecured Wi-Fi is essentially one that does not require a strong password to enable access. It is something that does not implement encryption for the data exchanged between devices and the access points. Having an unsecured Wi-Fi is one sure way to enable a data breach. It is like an open invitation for hackers to try whatever strategy they can to gain access to a company’s IT resources and supposedly confidential files.
Hackers actively seek out vulnerable Wi-Fi connections through a process called wardriving or access point mapping. They run vehicles equipped with antennae and wireless Ethernet cards configured in "promiscuous mode" to identify access points that can possibly be attacked.
It would be unwise to presume that an organization is unlikely to be attacked because it is small and does not have a lot for cybercriminals to steal or destroy. Cyberattackers are rarely discriminating with their targets. They attack whenever they find an opportunity, and open Wi-Fis are massive opportunities for them to take advantage of.
Data security can certainly be threatened by unexpected potential attack points. It is important for organizations to take away the security uncertainties by doing security validation. It is also crucial to be more mindful of the mobile devices used in the workplace. Similarly, organizations should be more careful with the rarely used, old, and missing devices that continue to be connected to or given permission to access the corporate network. Unsecured Wi-Fi is also a major concern, which usually does not get the security attention it should be getting.
Achieving a solid security posture is not possible without addressing the risks described above. They may sound trivial, but they can easily create serious consequences for organizations regardless of size, type, or popularity.
Subscribe to weekly updates
You’ll also receive some of our best posts today