Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Anurag Kahol
Anurag Kahol
Connect Directly
E-Mail vvv

Why Companies Fail to Learn from Peers' Mistakes (and How They Can Change)

Far too often, there's a new breach in the headlines. Companies need to start learning some obvious lessons.

Week after week, data breaches continue to make news headlines. Despite this, companies are reluctant to make the changes to their IT environments and security practices that would help them respond to various threats, making them susceptible to having their data compromised. Even when these security adjustments are relatively simple, such as installing software updates on endpoint devices, some companies still fail to take the necessary steps.

Let's take a look at why companies are reluctant to learn from their peers' mistakes and what they can do to avoid similar fates.

Why Companies Won't Change

· Lack of knowledge and expertise: IT security professionals must continue to develop their skills in order to keep pace with the rapid evolution of technology. One of the biggest challenges for companies is finding qualified individuals who can help them to protect their sensitive data. According to (ISC)² research, the shortage of cybersecurity professionals is now 2.93 million globally. 

· Lack of resources: While companies need to reserve funds for general IT purposes, they must also invest in the proper tools and technologies that can protect them against modern threats. Unfortunately, organizations typically have large sunk costs associated with prior investments into on-premises infrastructure, which can make them more reluctant to spend the extra funds needed to adopt additional, necessary security solutions as they migrate to the cloud.

· Fear of change: Some organizations are set in their ways and might underestimate the need to adopt relevant security tools and practices in the cloud. While on-premises tools and best practices are necessary in the vast majority of organizations, the misguided impression that they extend perfectly to cloud and bring-your-own-device (BYOD) environments can be very costly. The truth is that leveraging the cloud is a fundamentally different way of doing business and requires different security solutions. 

· Illusion of safety: Some organizations have a misguided belief that they are not likely to be a target for hackers and consequently assume that they don't have to worry about cybersecurity. There is a misconception that larger or more widely known organizations represent a more lucrative target and that hackers are more likely to focus on them. However, companies that have inadequate protections are prime targets for hackers, no matter how "under the radar" they may believe themselves to be.

Lessons Learned
Organizations can no longer have a lax cybersecurity posture if they want to defend sensitive data such as their customers' personal information and accounts. Below are seven steps that companies can and must take in order to prevent data breaches: 

  1.  Hire the right talent: Ensure that the IT security professionals you hire have the right knowledge and skills to meet the security needs of your company. Having an IT team that has no experience in protecting data in cloud environments is not prudent because the majority of applications used in the modern enterprise are now cloud-based. 
  2. Stay on top of critical software updates and patches: Far too many breaches are caused by outdated or flawed software for which patches and updates are readily available. 
  3. Perform regular vulnerability assessments: Organizations must be aware of their vulnerabilities and prioritize fixing them ahead of time. For companies that leverage infrastructure-as-a-service platforms, this involves using tools to identify and address misconfigurations in cloud environments that can expose data.
  4. Educate all employees: One of the best tactics companies can leverage to strengthen security is to adopt a "security first" mentality across the entire organization. This needs to stem from the top, with the C-suite emphasizing how everyone in the company is responsible for helping to protect sensitive data, and must encompass regular training on topics such as how to spot phishing emails and how to share data securely. 
  5. Employ best-practice security tools: For all organizations, there are certain tools that are considered essential for adequate cloud security, including data loss prevention, user and entity behavior analytics, searchable encryption, and multifactor authentication (MFA). "Step-up MFA" is also a useful tool — additional authentication is required in real time if suspicious activity occurs.
  6. Be proactive: It's far easier to prevent data breaches than it is to recover from one. Make sure your security policies and practices reflect a proactive approach rather than a reactive one. 
  7. Securely enable new tech: Employees are quick to adopt any technology that boosts their productivity and makes doing their jobs easier; however, this often happens even when their companies have not yet sanctioned the use of said technology. This is particularly true of BYOD environments and cloud applications. Organizations are far safer if they get ahead of the curve and enable these types of technologies responsibly and securely. 

Organizations have witnessed the aftermath of data breaches and the costs associated with failing to keep sensitive data secure. They regularly see their peers face hefty fines, lawsuits, loss of revenue, and damaged reputations. Thinking "this could never happen to my company" is inaccurate and dangerous. Breaches can be the result of misconfigurations, malware attacks, phishing, malicious insiders, and countless other threats — any of these can cause massive damage to companies and their stakeholders. It's time for organizations to heed the warnings in the news and take a more proactive approach to cybersecurity.

Related Content:

Check out The Edge Dark Reading's new section for features, threat data and in-depth perspectives. It's like a Sunday magazine in a daily newspaper with a variety of value-add content. Today's edition features You Gotta Reach ’Em to Teach ’Em.

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks' Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/14/2019 | 5:16:19 PM
Go post, but haven't we hard this song before
At the end of the day, it is human nature (oh yeah, I will get to it tomorrow) and pow, another cyber-incident on the news. All it takes it one person to make a mistake, and as humans, we are not built like that (to focus on every aspect and to think of every plausible outcome).

That is why this will continue to be provoked by vulnerabilities and threats until we invoke some sort of sentinel (ML) to address our shortcomings (that sentinel has to advise and be prescriptive in nature - take the information from what it has gathered and do something with it).

Simple as that.

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious u...
PUBLISHED: 2021-06-16
Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version.
PUBLISHED: 2021-06-16
TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations.
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-o...
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must b...