Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/14/2019
02:00 PM
Anurag Kahol
Anurag Kahol
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Companies Fail to Learn from Peers' Mistakes (and How They Can Change)

Far too often, there's a new breach in the headlines. Companies need to start learning some obvious lessons.

Week after week, data breaches continue to make news headlines. Despite this, companies are reluctant to make the changes to their IT environments and security practices that would help them respond to various threats, making them susceptible to having their data compromised. Even when these security adjustments are relatively simple, such as installing software updates on endpoint devices, some companies still fail to take the necessary steps.

Let's take a look at why companies are reluctant to learn from their peers' mistakes and what they can do to avoid similar fates.

Why Companies Won't Change

· Lack of knowledge and expertise: IT security professionals must continue to develop their skills in order to keep pace with the rapid evolution of technology. One of the biggest challenges for companies is finding qualified individuals who can help them to protect their sensitive data. According to (ISC)² research, the shortage of cybersecurity professionals is now 2.93 million globally. 

· Lack of resources: While companies need to reserve funds for general IT purposes, they must also invest in the proper tools and technologies that can protect them against modern threats. Unfortunately, organizations typically have large sunk costs associated with prior investments into on-premises infrastructure, which can make them more reluctant to spend the extra funds needed to adopt additional, necessary security solutions as they migrate to the cloud.

· Fear of change: Some organizations are set in their ways and might underestimate the need to adopt relevant security tools and practices in the cloud. While on-premises tools and best practices are necessary in the vast majority of organizations, the misguided impression that they extend perfectly to cloud and bring-your-own-device (BYOD) environments can be very costly. The truth is that leveraging the cloud is a fundamentally different way of doing business and requires different security solutions. 

· Illusion of safety: Some organizations have a misguided belief that they are not likely to be a target for hackers and consequently assume that they don't have to worry about cybersecurity. There is a misconception that larger or more widely known organizations represent a more lucrative target and that hackers are more likely to focus on them. However, companies that have inadequate protections are prime targets for hackers, no matter how "under the radar" they may believe themselves to be.

Lessons Learned
Organizations can no longer have a lax cybersecurity posture if they want to defend sensitive data such as their customers' personal information and accounts. Below are seven steps that companies can and must take in order to prevent data breaches: 

  1.  Hire the right talent: Ensure that the IT security professionals you hire have the right knowledge and skills to meet the security needs of your company. Having an IT team that has no experience in protecting data in cloud environments is not prudent because the majority of applications used in the modern enterprise are now cloud-based. 
  2. Stay on top of critical software updates and patches: Far too many breaches are caused by outdated or flawed software for which patches and updates are readily available. 
  3. Perform regular vulnerability assessments: Organizations must be aware of their vulnerabilities and prioritize fixing them ahead of time. For companies that leverage infrastructure-as-a-service platforms, this involves using tools to identify and address misconfigurations in cloud environments that can expose data.
  4. Educate all employees: One of the best tactics companies can leverage to strengthen security is to adopt a "security first" mentality across the entire organization. This needs to stem from the top, with the C-suite emphasizing how everyone in the company is responsible for helping to protect sensitive data, and must encompass regular training on topics such as how to spot phishing emails and how to share data securely. 
  5. Employ best-practice security tools: For all organizations, there are certain tools that are considered essential for adequate cloud security, including data loss prevention, user and entity behavior analytics, searchable encryption, and multifactor authentication (MFA). "Step-up MFA" is also a useful tool — additional authentication is required in real time if suspicious activity occurs.
  6. Be proactive: It's far easier to prevent data breaches than it is to recover from one. Make sure your security policies and practices reflect a proactive approach rather than a reactive one. 
  7. Securely enable new tech: Employees are quick to adopt any technology that boosts their productivity and makes doing their jobs easier; however, this often happens even when their companies have not yet sanctioned the use of said technology. This is particularly true of BYOD environments and cloud applications. Organizations are far safer if they get ahead of the curve and enable these types of technologies responsibly and securely. 

Organizations have witnessed the aftermath of data breaches and the costs associated with failing to keep sensitive data secure. They regularly see their peers face hefty fines, lawsuits, loss of revenue, and damaged reputations. Thinking "this could never happen to my company" is inaccurate and dangerous. Breaches can be the result of misconfigurations, malware attacks, phishing, malicious insiders, and countless other threats — any of these can cause massive damage to companies and their stakeholders. It's time for organizations to heed the warnings in the news and take a more proactive approach to cybersecurity.

Related Content:

Check out The Edge Dark Reading's new section for features, threat data and in-depth perspectives. It's like a Sunday magazine in a daily newspaper with a variety of value-add content. Today's edition features You Gotta Reach ’Em to Teach ’Em.

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks' Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/14/2019 | 5:16:19 PM
Go post, but haven't we hard this song before
At the end of the day, it is human nature (oh yeah, I will get to it tomorrow) and pow, another cyber-incident on the news. All it takes it one person to make a mistake, and as humans, we are not built like that (to focus on every aspect and to think of every plausible outcome).

That is why this will continue to be provoked by vulnerabilities and threats until we invoke some sort of sentinel (ML) to address our shortcomings (that sentinel has to advise and be prescriptive in nature - take the information from what it has gathered and do something with it).

Simple as that.

T
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18218
PUBLISHED: 2019-10-21
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
CVE-2019-18217
PUBLISHED: 2019-10-21
ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
CVE-2019-16862
PUBLISHED: 2019-10-21
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.
CVE-2019-17409
PUBLISHED: 2019-10-21
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
CVE-2019-10715
PUBLISHED: 2019-10-21
There is Stored XSS in Verodin Director before 3.5.4.0 via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.