Don't Fall Victim to this Cybersecurity Myth
Oct 28, 2019
The nature of cyber and network security is that you can never relax. The moment you think you’ve covered all potential vulnerabilities, a multitude of new threats emerge.
Cybersecurity is broad, fast-moving and always growing. Because it’s so vast and the stakes so high, those concerned with maintaining security have a tendency to fall into a key myth of cybersecurity: “We are doing fine as long as we pass our annual security audit.”
This way of thinking occurs when cybersecurity is approached with a checkbox mentality. If you approach cybersecurity as a list of items you can check off and then relax, you’re definitely not safe.
Companies such as Equifax, Target, and Home Depot completed necessary audits pertaining to their industry prior to their high-profile data breaches. The security audits are necessary to keep accountability but are part of a larger system. It’s best to approach cybersecurity as a constant process, rather than a destination you can reach.
Going beyond the annual audit
Create a map of your entire network
The first step in leveling up your security measures is to start with your own network. Rather than starting with the requirements of the audit, you should do a comprehensive mapping of everything connected to your network.
An audit will give a detailed checklist of items to answer. Are firewalls up to date? What are your threats? This checklist will be useful. However, it’s not going to give a full picture of your network or the ability to create segmentation in your network.
This map would include:
- Routers, switches, firewalls, WAF
- Printers and connected devices
- Internet of Things (smart TVs, thermostats, cameras, etc.)
- Mobile devices
- Cloud/Saas - your software subscriptions and passwords
Developing a full map of your network is the beginning of enhanced network security. Seeing the full picture of your network allows you to apply segmentation. Since you can’t focus on all things at once, creating segmentation allows you to keep vulnerable parts of the network separate from your most crucial data.
You can also systematically patch and assess areas within the network, moving from one segment to the next. This allows you to cut through the overwhelm of cybersecurity and eat the elephant one bite at a time.
Know where you could be weak
After you’ve mapped the network, the next thing you’ll need to do is prioritize your effort. According to a 2017 Verizon report, 80% of hacks are successful due to a lack of patching.
You’ll need to build a plan to assess and patch vulnerabilities. This is another reason why segmentation in your network is important. If you have legacy systems, you may not be able to patch them. However, you can keep them separate from sensitive information in your network.
As you deploy a vulnerability scanner, you can keep up to date on where the patches are needed and prioritize the segments of your network that are most important.
Build a user awareness program
The only threat more pressing than patching vulnerabilities is your people. According to the same Verizon report, 81% of hacking-related breaches employ reused, stolen, or weak passwords.
Hackers know teams are investing in cybersecurity. Their best chance of getting into the network is to gain the credentials of someone who has permission to access the network. Therefore, no matter how well you’ve protected your network, if an employee’s credentials are stolen, you can be at risk.
Your user-awareness is not going to come through in an annual audit but could put your data at risk. To make sure your entire team is following best practices, there are a few tips you can employ.
Send out a monthly security newsletter: Speak openly about the threats that exist and take the opportunity to teach one component at a time
Educate users on how to protect their personal data: As you educate your team, connect these cybersecurity issues to the real threat that exists in their personal lives. As they are educated on best practices to protect themselves and their families, they will apply better habits at work.
Perform phishing campaigns: Human curiosity leads people to click on links, which lead to problems. Some companies have their own fake phishing campaigns to test and train their employees. The goal is to create a little bit of healthy paranoia so users will hesitate before clicking on any link.
Invest in a password vault: Weak and stolen passwords are a critical component of cybersecurity. Using a password vault allows your team to have strong passwords without the constant frustration of forgetting them.
Annual security audits are useful for company’s to assess their cybersecurity and ensure a baseline level of protection is in place. However, IT departments should not fall into the trap that passing the audit means everything will be safe.
In the fast-moving cybersecurity world, threats are everywhere. The best approach is to build an ongoing process of evaluation and improvement.