Read through your Twitter feed or turn on the news on any given day and one thing is evident: cyber attacks are happening in every industry and organization size. It is obvious that these attacks are increasing in number and sophistication, and we’re confident in stating that this trend will continue.
Developing a cybersecurity strategy can give your organization the foundation and mandate to develop good policies and procedures for improving resilience. In developing that strategy, these are the five most common mistakes that you absolutely cannot afford to make:
1. Focusing too much on perimeter defense. For the earliest stages of a breach, the question is no longer “if”, but “when”. Sophisticated attackers will compromise your first lines of defense: employee workstations, email accounts, and Internet-facing services. While it is important to place defenses along the perimeter, you cannot neglect attention on what happens once an attacker gains access to your network. Can you prevent the attacker from moving around to more sensitive parts of your network, causing significant damage? Modern networks require more than one layer of defense to adequately protect your data and computing resources.
2. Focusing too much on prevention instead of detection and response. An initial attack takes minutes. Discovery and response takes weeks or months. A recent study came out highlighting that it takes an average of 256 days for an attack to be identified. This is entirely too long. A cyber attack is not always obvious, therefore, your organization must have a strong effort to detect and respond.
3. Focusing only on being compliant. Compliance does not ensure protection from all threats – it is just a minimum requirements baseline. Mandatory regulations are designed to protect customer and financial data. As technology advances and your organization continues to grow, a compliance mindset puts your organization at risk. To protect your customer data, sensitive corporate data, operations and reputation, you must go beyond compliance and take an offense-oriented approach.
4. Failing to understand the difference in penetration testing and vulnerability scanning. These offense-oriented cybersecurity services are often not clearly defined by those who offer or procure them – which creates confusion. I often speak with clients who have purchased an automated test from a vendor that called it a ‘penetration test.’ What they are actually getting is a vulnerability scan, not a penetration test. These two services, however, are very different in the complexity and depth of vulnerabilities that they test, in the talent required to execute them and in the report that will ultimately be delivered. When penetration testing is manually performed by humans emulating the persistent, aggressive actions of true attackers, the results far exceed what most of today’s automated vulnerability scans provide.
5. Not treating cybersecurity as a business risk. Many organizations look at cybersecurity as an IT issue. Cybersecurity is much more than an IT issue. The more connected we become, the more dangerous cyber criminals are to your organization. Using sophisticated techniques, attackers can steal not only your customer or employee information, but also your intellectual property, trade secrets, and more. Beyond that, attackers can transfer over to the physical world by gaining control of physical assets such as door locks, HVAC systems, phone systems, scanners, and more.
Make no mistake—cybersecurity is one of the biggest risks to your business today and one that needs to be taken extremely seriously from the top down.
» Mike Skinner is the partner in charge for HORNE Cyber. His primary focus is to enable clients to fully leverage technology innovations by providing the insights critical to safeguarding their business, customers’ critical data and brand reputation. He is responsible for information technology audit, regulatory compliance, information security consulting, internal control consulting and business solution implementation.
BEFORE YOU GO…
… we’d like to ask for your support. More people are reading the Mississippi Business Journal than ever before, but advertising revenues for all conventional media are falling fast. Unlike many, we do not use a pay wall, because we want to continue providing Mississippi’s most comprehensive business news each and every day. But that takes time, money and hard work. We do it because it is important to us … and equally important to you, if you value the flow of trustworthy news and information which have always kept America strong and free for more than 200 years.
If those who read our content will help fund it, we can continue to bring you the very best in news and information. Please consider joining us as a valued member, or if you prefer, make a one-time contribution.Click for more info