Failing the Cybersecurity Test? 5 Things You Could Be Doing Wrong

Cyber attacks are happening in every industry and organization size. Just read through your Twitter feed or turn on the news on any given day and you’ll see what I mean. It’s obvious that these attacks are increasing in number and sophistication, and I think we can all agree that this trend will continue.

So it’s time for a plan. Developing a cybersecurity strategy can give your organization the foundation and mandate to implement good policies and procedures for improving resilience. In crafting that strategy, these are the five most common mistakes that you absolutely cannot afford to make: 

1. Putting too much faith in perimeter defense. For the earliest stages of a breach, the question is no longer “if”, but “when”. Sophisticated attackers will compromise your first lines of defense: employee workstations, email accounts, and Internet-facing services. While it is important to place defenses along the perimeter, you cannot neglect attention on what happens once an attacker gains access to your network. Can you prevent the attacker from moving around to more sensitive parts of your network, causing significant damage? Modern networks require more than one layer of defense to adequately protect your data and computing resources.
2. Focusing too much on prevention instead of detection and response. An initial attack takes minutes. Discovery and response takes weeks or months. A recent study came out highlighting that it takes an average of 256 days for an attack to be identified. This is entirely too long. A cyber attack is not always obvious, therefore, your organization must have a strong effort to detect and respond.
3. Relying solely on compliance. Compliance does not ensure protection from all threats – it is just a minimum requirements baseline. Mandatory regulations are designed to protect customer and financial data. As technology advances and your organization continues to grow, a compliance mindset puts your organization at risk. To protect your customer data, sensitive corporate data, operations and reputation, you must go beyond compliance and take an offense-oriented approach.
4. Failing to understand the difference between penetration testing and vulnerability scanning. These offense-oriented cybersecurity services are often not clearly defined by those who offer or procure them – which creates confusion. I often speak with clients who have purchased an automated test called a ‘penetration test.’ What they are actually getting is a vulnerability scan. These two services, however, are very different in the complexity and depth of vulnerabilities that they test, in the talent required to execute them and in the report that will ultimately be delivered. When penetration testing is manually performed by humans emulating the persistent, aggressive actions of true attackers, the results far exceed what most of today’s automated vulnerability scans provide.
5. Not treating cybersecurity as a business risk. Many organizations look at cybersecurity as an IT issue. Cybersecurity is much more than an IT issue. The more connected we become, the more dangerous cyber criminals are to our organizations. Using sophisticated techniques, attackers can steal not only your customer or employee information, but also your intellectual property, trade secrets, and more. Beyond that, attackers can transfer over to the physical world by gaining control of physical assets such as door locks, HVAC systems, phone systems, scanners, and more.

Make no mistake—cybersecurity is one of the biggest risks to your business today and one that needs to be taken extremely seriously from the top down.