I’m in the cybersecurity business and I get overwhelmed with my daily feed of the advertisements all boasting to have the “must have” security tool. I can only imagine how difficult it is for IT directors or business owners to navigate through this marketing war. Truth be known, you probably have most of what you need already. We get fixated on thinking we can address our security concerns with a bolt on solution instead of focusing our attention on our critical security assets: people and processes. You need all 3 but history shows that under investing in people and process is by far the biggest risk and the most common cause of system compromise.
Most data breaches are caused by something someone did or something someone should have done. We can look at some of the high-profile breaches to learn from them and figure out how we can do better. Here are some of the most common methods hackers use to compromise systems and gain access to sensitive data:
- Weak or Stolen Credentials (poor usernames and passwords)
- Application Vulnerability (unpatched systems)
- Malware (ransomware or any other malicious software typically distributed via email)
- Social Engineering (methods like phising or vishing that exploit human psychology)
- Too Many Permissions (system complexity or lack of security controls can allow for easy access to hackers)
- Insider Threats (malicious insiders, contractors, 3rd party service providers, disgruntled employees etc.)
- Improper Configurations (user error)
There is no such thing as a “silver bullet’ when it comes to cybersecurity but if you are looking for a great place to start you should look at your people and processes. Make sure you have the right people in the right positions and ensure they receive the proper training. Work with them to build effective processes and procedures and you are well on your way to developing a solid cybersecurity program. This will also help you identify which tools are necessary to supplement your team (not the other way around). Don’t waste money on tools until you understand what you already have, starting with your people.
I hope this was helpful and as always, feel free to reach out to us to find out more about how to build an effective cybersecurity program or if you just want to learn more about what people are doing to protect their company’s digital assets and customer data.