Week after week, data breaches continue to make news headlines. Despite this, companies are reluctant to make the changes to their IT environments and security practices that would help them respond to various threats, making them susceptible to having their data compromised. Even when these security adjustments are relatively simple, such as installing software updates on endpoint devices, some companies still fail to take the necessary steps.
Let's take a look at why companies are reluctant to learn from their peers' mistakes and what they can do to avoid similar fates.
Why Companies Won't Change
· Lack of knowledge and expertise: IT security professionals must continue to develop their skills in order to keep pace with the rapid evolution of technology. One of the biggest challenges for companies is finding qualified individuals who can help them to protect their sensitive data. According to (ISC)² research, the shortage of cybersecurity professionals is now 2.93 million globally.
· Lack of resources: While companies need to reserve funds for general IT purposes, they must also invest in the proper tools and technologies that can protect them against modern threats. Unfortunately, organizations typically have large sunk costs associated with prior investments into on-premises infrastructure, which can make them more reluctant to spend the extra funds needed to adopt additional, necessary security solutions as they migrate to the cloud.
· Fear of change: Some organizations are set in their ways and might underestimate the need to adopt relevant security tools and practices in the cloud. While on-premises tools and best practices are necessary in the vast majority of organizations, the misguided impression that they extend perfectly to cloud and bring-your-own-device (BYOD) environments can be very costly. The truth is that leveraging the cloud is a fundamentally different way of doing business and requires different security solutions.
· Illusion of safety: Some organizations have a misguided belief that they are not likely to be a target for hackers and consequently assume that they don't have to worry about cybersecurity. There is a misconception that larger or more widely known organizations represent a more lucrative target and that hackers are more likely to focus on them. However, companies that have inadequate protections are prime targets for hackers, no matter how "under the radar" they may believe themselves to be.
Organizations can no longer have a lax cybersecurity posture if they want to defend sensitive data such as their customers' personal information and accounts. Below are seven steps that companies can and must take in order to prevent data breaches:
- Hire the right talent: Ensure that the IT security professionals you hire have the right knowledge and skills to meet the security needs of your company. Having an IT team that has no experience in protecting data in cloud environments is not prudent because the majority of applications used in the modern enterprise are now cloud-based.
- Stay on top of critical software updates and patches: Far too many breaches are caused by outdated or flawed software for which patches and updates are readily available.
- Perform regular vulnerability assessments: Organizations must be aware of their vulnerabilities and prioritize fixing them ahead of time. For companies that leverage infrastructure-as-a-service platforms, this involves using tools to identify and address misconfigurations in cloud environments that can expose data.
- Educate all employees: One of the best tactics companies can leverage to strengthen security is to adopt a "security first" mentality across the entire organization. This needs to stem from the top, with the C-suite emphasizing how everyone in the company is responsible for helping to protect sensitive data, and must encompass regular training on topics such as how to spot phishing emails and how to share data securely.
- Employ best-practice security tools: For all organizations, there are certain tools that are considered essential for adequate cloud security, including data loss prevention, user and entity behavior analytics, searchable encryption, and multifactor authentication (MFA). "Step-up MFA" is also a useful tool — additional authentication is required in real time if suspicious activity occurs.
- Be proactive: It's far easier to prevent data breaches than it is to recover from one. Make sure your security policies and practices reflect a proactive approach rather than a reactive one.
- Securely enable new tech: Employees are quick to adopt any technology that boosts their productivity and makes doing their jobs easier; however, this often happens even when their companies have not yet sanctioned the use of said technology. This is particularly true of BYOD environments and cloud applications. Organizations are far safer if they get ahead of the curve and enable these types of technologies responsibly and securely.
Organizations have witnessed the aftermath of data breaches and the costs associated with failing to keep sensitive data secure. They regularly see their peers face hefty fines, lawsuits, loss of revenue, and damaged reputations. Thinking "this could never happen to my company" is inaccurate and dangerous. Breaches can be the result of misconfigurations, malware attacks, phishing, malicious insiders, and countless other threats — any of these can cause massive damage to companies and their stakeholders. It's time for organizations to heed the warnings in the news and take a more proactive approach to cybersecurity.
- The State of IT Operations and Cybersecurity Operations
- Inside Incident Response: 6 Key Tips to Keep in Mind
- It's (Still) the Password, Stupid!
- Yes, FaceApp Really Could Be Sending Your Data to Russia
Check out The Edge Dark Reading's new section for features, threat data and in-depth perspectives. It's like a Sunday magazine in a daily newspaper with a variety of value-add content. Today's edition features You Gotta Reach ’Em to Teach ’Em.