Register now for your free virtual pass to the Low-Code/No-Code Summit this November 9. Hear from executives from Service Now, Credit Karma, Stitch Fix, Appian, and more. Learn more.
You’d be hard-pressed to find a single organization today that isn’t aware of the vital importance of cybersecurity. However, despite their best intentions, many companies out there are still making serious security mistakes — and the consequences can be nothing less than a nightmare
With Halloween just around the corner, let’s take a look at the horrors that plague the world of cybersecurity. Here are five of the top cybersecurity mistakes companies make — and how they can haunt organizations in the long term.
Lack of employee training on security best practices
Cybersecurity training for employees may seem like a no-brainer — something that many companies do at a base level. However, with social engineering and highly sophisticated phishing attacks like whaling and spear phishing on the rise, it’s clear that, more than ever, hackers are attempting to exploit the human aspect of cybersecurity to gain access to companies’ systems. Just look at the recent breach at Uber, in which a hacker used an exhaustion attack to wear down and fool an employee into sharing their login info.
That said, many companies make the mistake of treating cybersecurity training as something they just need to check the box on when, in reality, it needs to be a top priority — as well as a continuous activity. It’s absolutely essential that companies invest in up-to-date cybersecurity training for their employees: Enrolling them immediately upon employment and consistently offering refresher courses with the latest best practices.
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Failing to maintain proper IT hygiene
This leads us perfectly to the second mistake companies make: Not ensuring proper IT hygiene throughout their organization. It’s one thing to conduct training for employees, but quite another to make sure that those lessons learned become common practice for everyone. After all, even the best cybersecurity technology and processes can’t prevent the potential damage caused by an employee who uses a weak password or doesn’t update their software regularly.
To prevent these and other human errors, including abusing privileged accounts and not knowing which applications are running or what their configuration is, companies should be checking in to evaluate employees’ IT hygiene throughout their tenures. This helps ensure that they are still implementing cybersecurity best practices in their daily work.
In addition, companies must establish proper security routines and controls, including asset discovery, file integrity management, configuration assessment, regular vulnerability detection and endpoint protection enforcement.
Not consistently evaluating your company’s security posture
Oftentimes, companies establish their cybersecurity controls — then they “set it and forget it.” This is never the right approach. Instead, every organization should be conducting frequent security risk assessments to evaluate where their defenses are strong and where there may be vulnerabilities, whether on the human or technological side.
Only when organizations have a clear picture of their cybersecurity preparedness can they confidently take the right steps to reinforce what they’re already doing right and shore up any weaknesses that need to be addressed.
Again, it’s important to emphasize that this must become a continuous practice. As the security landscape shifts under companies’ feet, it’s equally important that they adapt, remain agile and regularly evaluate their security posture. They must also practice important risk reduction activities, including readiness tests and mock event exercises.
Not knowing where your data assets are used, shared or stored
Data today is more liquid than ever. Between having numerous integrations, partnerships with third-party vendors, and multiple endpoints or devices, it can become extremely complicated extremely quickly for companies to track and manage their data.
Unfortunately, the reality is that many companies simply don’t know where their data lives — even as their attack surface is increasing.
What’s more, as employees continue to work remotely or in hybrid settings, companies face another layer of complexity to keeping data secure. As much as IT and security professionals can set employees up for success, they can’t control if an employee accesses company systems on a personal laptop, or how secure their at-home network may be.
While there’s no one perfect solution to such a complicated problem, it’s absolutely necessary that companies start by regularly monitoring all of their endpoints. This includes laptops, personal computers, physical servers, virtual machines, cloud instances and even cloud-native infrastructure. Together with up-to-date data mapping, this creates a strong first line of defense in the fight for data security, significantly reducing the vulnerabilities that can lead to cyber-attacks.
Treating security as just an IT issue
Cybersecurity is far more than just installing anti-virus software on company computers, and it extends far beyond the realm of the IT department. However, many organizations fail to establish a holistic approach to security.
Creating a true, pervasive culture of cybersecurity requires not only the right technology, but the right policies and processes to back it up. And everyone at the company — from top to bottom — must be responsible and accountable for protecting the company’s data.
That means it’s up to company leaders to set the tone, communicating the vital importance of threat awareness, putting in place effective cybersecurity strategies and providing the right tools and education to keep the company secure. This means not just talking the talk, but walking the walk.
Ultimately, making any of these cybersecurity mistakes can come back to haunt a business, impacting everything from their customers’ personal data to their operations, reputation and bottom line. This is why it’s so important to implement a comprehensive cybersecurity strategy — and then consistently evaluate and improve upon it — to ensure your organization is always one step ahead of would-be attackers.
Santiago Bassett is founder and CEO of Wazuh.