“That’s not just a problem, that a serious issue,” says Ben Smith, field chief technology officer for RSA. Smith wants businesses to double down on how they secure their computing assets but he also wants them to forget for a while, stuff like next-gen antivirus, secure-Web gateways, malware sandboxing, next-gen firewalls, or application whitelisting and the like.
He’s also not into dropping tired, old phrases such as: “It’s not about if you get breached; it’s when you get breached,” “Even large enterprises that have millions of dollars to spend on security got breached, so everyone is at risk,” or “Security incidents can put you out of business.”
What he wants to impart is his list of five common security mistakes that IT teams and managers overlook – mistakes that often leave an organization wide open to would be cyberattacks
Lack of practice – Most organizations have an incident recovery plan, “the problem is, it’s often drastically out-of-date,” Smith bemoans. “Even a plan that is less than one-year-old might no longer be up-to-date and could have some serious gaps.”
“Very often, incident recovery plans are written and then left forgotten in the shelf or computer folders,” he says. “Employees and teams need to be regularly practiced on the plan so they know what they are supposed to do when a security incident occurs.”
Plans also need to be periodically revisited, reevaluated, and updated to reflect the latest threats as well as changes in the organization – for instance, the contact information of people to call in an emergency may have changed, teams and departments could have been revised, and some systems could have been replaced since the last plan was written.
Missing the punch – “In a lot of cases, when a security incident occurs, the ‘firefighters’ have no awareness of the business context of the event,” according to Smith. “In other words, the responders have no way of judging the criticality of the incident…Is it a small fire or a large fire?”
When responders are no adequately aware of the impact or the value of the assets at stake, they are prone to overreact or underreact to the incident.
Organizations need to create a system where responders can triage their response like emergency room teams do in a hospital. Clear guidance and information should be provided to them so that they can easily identify which assets are deemed critical and which one are not.
Seeing people as mere cogs in a wheel – People are an organization’s best asset. Unfortunately, many businesses fail or refuse to realize this and end up losing up on tech talent.
Many companies complain that they have a hard time recruiting security professionals. But Smith says a lot of these same firms are not investing in the staff they have. Here are a few bullets points to consider (exclamation point provided by Smith):
- Job rotations for personnel – Benefit: address skills shortage, career path aspirations
- “Champion” or “mentor” designation where appropriate – Benefit: peer recognition/respect without a formal promotion
- MSSPs (managed security solution providers) – Benefit: skills transfer during/end of engagement
- Hiring (sourcing) vs. retention – which is harder? – Keep the bench warm/filled at all times!
- All of your employees are members of your extended security team!
Get the point?
Forgetting that partners are also attacks vectors – Look back to some of the most publicized breaches in recent years. In many of them, they attack was not directly launched against the company but through a vector that was connected to did business with the target.
In securing their systems, many firms tend to overlook their partners or suppliers. In most cases, companies have no idea about the security posture of the other firms they do business. This could be a very serious issue if their computer systems are connected to an insecure business.
“Supply chain risk management is a key component or security,” says Smith. “Today, you will find some of the largest businesses requiring visibility to the security measures applied by their supply chain partners. Some contracts even require potential partners to answer a security questionnaire and invest in needed security tools.”
Failing to adopt proactive security – The majority of security incident responses is reactive. Smith argues that organizations have a better chance of heading off potential dangers and mitigating the impact of an attack by being proactive, rather than reactive when it comes to protecting their system.
“Instead of having their security teams waiting for an alert to be triggered, they should have an individual of several persons dedicated to actively hunting for potential security threats,” he says.
The practice shrinks “dwell time” (the IT security teams spend between being inactive and actually deployed to work on a security issue), saves personnel from “alert fatigue” and reacting to false positives, and avoids “paralysis by analysis,” says Smith.
The RSA CTO suggests setting aside an hour a day to take people out of their regular task and provide them with the tools to look for potential threats.
“Being stuck doing the same routine every day can be boring. Having your team doing something like this plays of people’s natural tendency towards curiosity and unraveling mysteries,” says Smith. “It builds the right skills for your hunters and helps them develop true situational awareness.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…