Episode3: The 10 most dangerous mistakes big corporations make about their security
Mistake #1 Trusting systems too much
We are in a completely new era of attacks. All the traditional solutions in the industry can protect you only from specific types of attacks – the known ones. Anything that is not a known bug [bug is a potential hole for an attack] is called a “zero day” and is not discoverable! There is no system worldwide which can offer you 100% protection especially from zero days no matter how many promises security experts might make to you in order to sell it, unless they completely change the existing technology, and this is why. [How to defuse vulnerabilities at their roots ] Moreover, putting too much trust into systems opens a new level of threats to the latter. Why? Psychologically, you are caught off guard when you rely on a system to stop an attack, and it fails to do so. Thus, you won’t be able to stop it either because you expect that your system will take care of it.
Mistake #2 Considering only software level security
Yes, many people believe that attacks happen only at the software level. Indeed, this was the case mostly in the past. However, now attacks on large organizations are much more sophisticated. Why? Because the hackers are aware that you have implemented some security measures which are mainly systems, so they need to get a bit more creative and advanced. Being a hardware designer gave me insight into another level of attacks, that are undiscoverable at the software level – hardware level attacks. Traditional ones require some skills to be carried out, but recently there are many tools on the darknet that make it much easier for cyber-criminals to attack you at hardware level. Furthermore, for the sophisticated attacks hackers need to get in closer proximity to your business premises, therefore you must setup your physical security as well. In fact, if you are a big corporation you need holistic security.
Mistake #3 Forgetting the human factor
Human factor is the fancy word for your insiders. You, your employees and any person who interacts actively with your organization (collaborators, external providers and support) are your insiders. I did mention it above that hackers need to get more creative to attack you. It does not mean that because you are a more difficult target they want to spend more time, resources, money and bear higher risk to attack you. That is why they prefer to examine and evaluate the behavior of your insiders, find an opening and, without your knowing it, you’ll have a trojan horse. This is the number one methodology they use, which makes it your top priority to train your insiders in order to avoid triggering attacks. It’s called secure behavior training and it is the only way you avoid triggering attacks orchestrated by the cyber criminals against you. According to statistics 8 out of 10 attacks are triggered by the insiders, of which 7 are done by mistake and 1 on purpose.
Mistake #4: Believing insurance is your safety net
Insurance is an additional measure companies usually implement as soon as they have everything in place. However, believing that insurance will cover your serious holes in security is a mistaken belief. Security insurances are kind of new, based on the current needs, yet no insurance is giving money for free. So, after an attack an investigator from the insurance company will visit your company to investigate the conditions, which caused the breach. If you did not put the appropriate measures in place, they will pay you nothing. If you did, you will get insurance payment. However, your insurance fee will most probably get higher. Thus, insurance can be a great measure if you have covered your security seriously. In any other case you are just wasting money.
Mistake #5 Not having a strategy of action in place
In the past, corporate security could be generally speaking covered with just a few systems, very basic ones. Now, it gets more advance and complicated, and requires a plan of action in order to set priorities and include all the correct components. These include the right personnel to set it up, maintain and monitor it, personnel training, and protecting your physical facility, among others. All these cannot be done in a random manner or from a technical support personnel who, in most cases, do not have the knowledge or time to deal with all this. That is why it’s time for a security strategy – a plan of action for your security.
Want a little help?
Mistake #6 Being prepared only on paper
An important part of any security strategic plan is to prepare for a disaster, meaning specific steps you will take in case an attack happens. Every serious security professional knows that it is not possible to stop all attacks. That is why they prepare an organization to discover an attack as soon as possible and recover as fast as possible with the least impact. However, this plan is not something you should have only on paper. You should train consistently to be able to get the full effectiveness of your plan when an attack does take place.
Mistake #7 Having too much data and no measures to protect it effectively
Large corporations usually deal with huge amounts of data. That data comes with a responsibility, which most of the organizations do not take seriously, this is why 2018 is the year new regulations regarding data are being established. Fees and legal suits will be applied, if the regulations are not covered by companies of any size. And this is just the start. Security and data protection is taking center stage with more regulations currently under preparation. I can guarantee you that security without data consideration and analysis is not serious and it will just waste your money, time and energy, eventually jeopardizing the survival of your business.
Mistake #8 A boardroom with no clear picture of the business security levels
In the past, security was the responsibility of a person or a team. Yet, it was not so crucial for business survival to need a place in the boardroom. Nowadays, it is mandatory. Plus, the CEO and everyone in the boardroom of a company needs to have a clear picture about the business security levels and the plan of action in case the security is compromised.
Mistake #9 Having too many dependencies out of control
Unfortunately, the philosophy of the majority of companies is to have many external providers, and to purchase more systems in preparation or after an attack! This is just catastrophic for your protection levels. Why? We have this rule in security that says that: the more interdependencies you have in your security the higher is your threat level. This is for two reasons a) More products mean you need more educated personnel to set them up, monitor and control them and b) it is introducing the 3rd party outsider danger, which you cannot control.
Mistake #10 Not understanding that security is a factor that can completely destroy your business
Organizations fail because of many reasons, but there is a current relationship between cyber-attacks and failure, which is important to know. The impact of an attack can be short term or long-term, and can affect a business in terms of time, reputation, legal suits, and regulation. The worst of all is business closure, and unfortunately this is the current trend. Lack of security is the biggest threat for business survival.
And now I would love to hear from you. From the 10 mistakes we talked about which one is most important and urgent for you to focus on right now. Let’s talk about it in the comments below.
Apply what you learn immediately. Download “GDPR Basics” free quick start guide.
How to defuse vulnerabilities at their roots Threats have humans as an initiating factor. Either a malicious programmer or a programmer with good intention who makes a mistake is enough to initiate the exploitation cycle. A bug which can affect the security of a...
The roots to your security problem Cyber attacks: Let's examine their roots! Cyber attacks are exponentially increasing with time. There are several types of threats that can be initiated by our adversaries and day by day they increase in volume, severity and...
and get the latest updates