Ask a Security Expert: Are Businesses Developing False Confidence About Cybersecurity?
One of our partners, associate director Martin Odenthal at IT solutions provider Working Technology, shared his rising concern about this problem throughout the cybersecurity community.
Sure, most businesses’ security knowledge, technology, and practices have all improved in recent years, with nearly all organizations increasing their cybersecurity budgets and conducting some form of employee cybersecurity training.
However, even with the uptick in security education and training, Webroot research still shows 79 percent of small- to medium-size businesses admit they’re not completely ready to manage their cybersecurity and protect themselves against threats.
Why is this the case? There are two factors in play: A key issue is the lack of in-house cybersecurity expertise at many companies, where there is a lack of sufficient knowledge about implementing adequate business cybersecurity protection. This issue is compounded by the constantly evolving (and increasingly complex) threat landscape and evolving tactics for cyberattack.
Simply put, as technological innovation progresses it is expanding the attack surfaces available for attackers. Well-funded cybercriminals are proving very adept at finding and exploiting new weaknesses as connectivity rises around the globe. Their target is widening, and they are all too happy to take advantage. For example, at Webroot we’ve seen everything from cameras to remote desktop protocol (RDP) brute force attacks used to initiate breaches.
The rapid shift from ransomware (which depends on many moving parts to make money) to low-risk, high-reward activities like cryptojacking and cryptomining is telling, partially because of how quickly it’s happened. Of course, cybercriminals continue to scam victims out of their money or credentials with phishing attacks, and carefully researched ransomware attacks intended to destroy files still occur, with ransom requests used only as a smoke screen for other designs. This means that, despite the improved security postures of many SMBs, cyberattacks continue to cause damage. It can be thought of as (indeed, it is) a cyber-arms race. And businesses must make sure they’re escalating apace with cybercriminals.
Are We Getting Too Comfortable?
As security practices improve and awareness concerning the threat of cyberattacks rises across the globe, it’s important not to lose focus on the importance of preventing attacks.
With new data security regulations, like the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act, coming into effect, many organizations are also now faced with stricter compliance mandates. Satisfying these new rules can be laborious. Companies must analyze all risks across all devices, networks, and users to ensure they have implemented appropriate technical safeguards. These may include mobile security solutions to lock or wipe devices that have been lost or stolen, or application firewalls and DNS-layer protection to defend their networks. It’s important to remember, though, that while compliance is essential for enhancing organizational security, regulatory compliance alone should not be an end-goal of IT security.
The numerous large-scale and disruptive cyberattacks that marked last year (NotPetya, WannaCry, BadRabbit, the Equifax breach, etc.) appear to be linked by a common factor: companies are only as strong as their weakest link. Even one successful phishing email can wreak havoc. The more we learn and talk about cybersecurity as an essential component of daily business culture, the faster it will come to seem second nature, provided repetitive training and shared common knowledge do not lead to information fatigue. This has the potential to be a real danger if individuals take basic cybersecurity best practices for granted and assume protection. This can be avoided by relevant, topical trainings that are frequently updated and driven by performance metrics and other, positive incentives.
We Are All Swimming with the Sharks
Let’s compare cybersecurity awareness with a family trip to the beach. When traveling, especially with loved ones, we’re naturally far more cautious of our surroundings. The beach has inherently unpredictable variables like hot sand, pinch-happy crabs, crowds of strangers, rough waves, sunburn, rip tides and thousands of sea creatures whose home you’ve just entered. Including sharks.
Similarly, the cybersecurity landscape is filled with its own unpredictable variables such as phishing schemes, botnets, nefarious nation state actors, and ransomware attacks. To adequately protect against such varied threats, your company must identify its real risks, especially to end users and their data. In our analogy, understanding data confidentiality, integrity, and availability, where and how it’s used, and the appropriate tools and best practices for protecting it can be likened to understanding rip tides or UV overexposure and only swimming with a lifeguard on duty. With basic protections in place, you’re better positioned to take additional steps like extra sunscreen and having young children wear life vests. Because, as miniscule as any one step may seem, they’ll make all the difference between being safe and exposing yourself to danger in the aggregate.
The key takeaway for small- to medium-sized businesses is that today’s cybersecurity efforts must address people, processes, and technology. This applies not only to your company’s IT department, but also to each individual employee, since users make errors that technology is powerless to prevent or correct. It’s imperative that we practice cybersecurity vigilance, that we are all “armed” with the knowledge and skills to continuously thwart threats. Sure, there may be lifeguards around, but we’re all swimming with sharks.
George Anderson is the director of product marketing at Webroot. He’s spent the past 19 years in the IT security industry helping companies keep real threats to their business at the center of their attention.