When it comes to enterprise security, bad habits, shortcuts, and oversights can have the power to do major, irreparable damage to a company. According to security experts like Dave Venable, VP of cyber security, CISSP for Masergy, one slight misstep is all it takes to be the next major data breach in the news.
"Not installing patches. Not following that security process for every single interaction. Clicking that one link without double checking because it's the last day of the quarter and you're trying to close out everything by the end of the day, could be enough to compromise an entire enterprise," said Venable. "These adversaries will wait until the time is right, and they'll try over and over until they're in. Being complacent about that one seemingly inconsequential thing can be enough."
Complacency isn't the only killer, so we asked IT and security leaders to help round out the list of the worst enterprise security practices that companies must fix in 2018. Bonus: Many also shared their tips for replacing these bad habits with good ones – that stick. Read on for their advice.
1. Delayed patching
Stephen Gates, chief research intelligence analyst for Zenedge: “The ‘why would anyone attack us’ mentality is something that must definitely be fixed. Organizations and those responsible must wake up to the fact that they’re under attack every minute of every day, and hackers will find them and the vulnerabilities they have. Today’s hackers are using more and more malicious bots to do their dirty work, and these bots will eventually find what they are instructed to uncover.
In the case where there are patches available to fix serious vulnerabilities, organizations are often guilty of not deploying those patches immediately due to a host of different reasons. Many organizations force security teams to wait for maintenance windows to deploy patches due to fear of unexpected outcomes the patches may cause. Often times computer and network systems go for days, weeks, and even months before patches are deployed and those systems remain completely vulnerable to hackers during the period from discovered vulnerability to patching.
Timely processes and procedures must be implemented to address and patch known vulnerabilities sooner rather than later. Every minute an unpatched system is connected to the Internet is another minute for hackers to take advantage of that fact. The days of ‘don’t worry, hackers will never discover that we’re still unpatched’ are over.”
2. Treating security like a black box
Brian Contos, CISO, Verodin: “It’s 2018; it’s time to stop managing security based on assumptions and start measuring security effectiveness like we measure other strategic business units like sales and operations. Most security leaders can’t measure security effectiveness, they can’t communicate the value to the executive team and board, and they can’t demonstrate if their security effectiveness is getting better when they invest in new technology and people. There is no room in 2018 and beyond for treating security like a black box that can be measured, managed, and improved. Organizations need to demand evidence-based information that illustrates empirically what’s working and what’s not so that decisions predicated on factual data can be made more rapidly.
Buying the latest security buzzword is a trap many organizations fall into. Not only are they wasting time and money, but they are likely not even reducing risk. We’ve been talking about the need to have people, process, and technology working together to mitigate risk for decades. Unfortunately, this has greatly devolved to a myopic focus on technology. Yes, technology is a part of the equation, but being able to hire the right people, practice to improve security effectiveness and streamline processes is where the focus should be. Bad habits that throw tech at problems and assume it will work out instead of measuring effectiveness across people, process, and technology so that all three can be improved will not be sufficient in the modern threat landscape. It’s time to treat security like other strategic business units.”
3. Thinking basic solutions will be enough
Andrew Speakmaster, CTO and founder, SiO4: “There is still a misconception that security is like insurance. Why should I buy more when I have the basics? Well, today, threat actors and their methods are more complex, requiring a more aggressive IT security strategy that includes more and layered solutions. CISO/CSOs are struggling with limited resources and budgets to develop a comprehensive and strategic IT security program. Most plans are tactical and reactive instead of strategic and proactive. The human factor is perennially looked over. And cohesiveness between the CISO/CSO/CIO and HR rarely happens. Policy, procedures, and enforcement are lacking in almost every organization.
Without proper resources and budget, a strain is constantly placed on IT departments to do more with less. There comes a point where the rubber band snaps and things slip between the cracks. Best practices become shortcuts and when that happens it leads to gaps, especially in security. Not being able to keep up puts the team behind the eight ball instead of ahead of the curve. This is the most common and potentially dangerous mistake organizations make.
Security needs to come from the top. The CSO/CISO/CIO must work to understand why there was an oversight and put in place the proper procedures to ensure it won't happen again. Internal audits and verification of certain operations would greatly cut down on security gaps and mitigate risk to and within the organization.”
4. Lack of security automation
Matt Smith, chief architect, Red Hat: “One bad habit to ditch in 2018 is delaying application of security patches because the risk of maintenance seems higher than the risk of leaving the issue unpatched. While many organizations plan for ‘fault tolerance,’ very few plan for ‘maintenance tolerance.’ This can lead to infrequent and stressful maintenance cycles and inconvenient interruptions in business services. In 2018, IT organizations need to look to reduce the risks associated with maintenance.
Start by documenting and automating the interactions between IT assets during maintenance activities. By relying on automation, not only will you eliminate tasks that historically required much manual effort and surgical skill, you will also be reducing the risks of human error and demonstrating what’s possible when your IT organization embraces change and new methods of work. Ultimately, this will reduce resistance to promptly applying security patches. And it could also help keep your business out of the headlines during the next major security event, which is reason enough to kick this bad habit.”
5. Lack of fire drills
Lamar Bailey, director of security research and development, Tripwire: “Many organizations spend a lot of time drafting a security response plan, but then put it on the shelf and maybe review it once a year. When an emergency strikes, the teams run around in circles trying to find the plan and execute it. It gets even harder if key staff or technology has changed since the last review. Your security response is your battle plan, and you should be ready to put it in motion at any time. Military organizations train constantly so that they can deploy and act in a moment’s notice. Your security team needs to adopt a similar mindset.
At a bare minimum, you should be reviewing your plan quarterly and running drills so that everyone knows what to do when a situation arises. Bring the core team into a conference room, apply the correct amount of coffee and doughnuts, then describe a security emergency and have the team whiteboard the response to that specific emergency. The more you do this with varying scenarios the better your teams will respond when a real emergency takes place. Quarterly is the minimum cadence for this, but if you can spare an hour a month to run these drills, they will pay off. They can even be fun.”
6. Failure to protect users from themselves
Dave Venable, VP of cyber security, CISSP, Masergy: “According to the 2017 Verizon Data Breach Investigations Report, two-thirds of the malware used in data breaches were installed via email attachments. Security awareness training is great, and it's probably effective at reducing this risk to some degree, but sophisticated attackers are so good at this that they've tricked even the most experienced security experts. It's just not enough.
Allowing non-technical users to install and execute untrusted code is like adding a complicated self-destruct process with no warnings to a car. In either case, you can't rely on user or driver training to prevent people from accidentally self-destructing. And that's dangerous for everyone. No matter how careful sophisticated drivers may be, inexperienced drivers in front of them could accidentally blow up their cars at any time, resulting in unavoidable major accidents. We would obviously never allow this situation to exist, but it's not that different from giving a non-technical user a laptop and a network connection without any protection. This current approach is costing companies billions of dollars every year.”
[ Also read: Container security fundamentals: 5 things to know. ]