Opinion: Steve Nice, Security Technologist, Node4 addresses the five common security pitfalls for cloud-connected UK companies.
The threat landscape for businesses is evolving rapidly. Businesses have never been more connected, operating within increasingly complex network environments that are being exposed to a growing number of differing attack methods.
As IT becomes ever more critical to the daily survival of businesses, so cybercriminals are becoming more sophisticated in their attempts to exploit vulnerabilities. It’s now commonplace to read about a high-profile incursion into a company’s IT (with all the associated costs and brand damage this brings).
There’s never been a more pertinent time for IT teams to assess security strategies and overcome these five common pitfalls:
1. Employee education and communication
Ignoring users is a serious mistake. According to Node4 research, IT teams believe the biggest internal threat to the business is the human element. This isn’t through malicious attacks, but errors made by employees. More often than not, the user’s view is “it doesn’t matter what I do, the IT department’s firewall will protect me”, which is far from the case.
Yet IT teams aren’t keeping users abreast of the latest threats that leave them vulnerable to phishing and ransomware. Cybercriminals are evading protection policies by using more targeted, crafted emails that, at first glance, appear relevant and genuine, for example by using registered domain names that are similar to a recognised company. When reading a link its very easy to think that it begins with ‘m’ (like m-test.com) when in actual fact it’s an r with an n ‘rn’ (rn-test.com). It’s a difference the average user may well not notice.
Put in place security policies that educate users on the evolving threat landscape – and keep reiterating the message.
2. Security awareness
Only a quarter of IT managers rate themselves as ‘very confident’ they could handle issues such as malicious attacks, information leakage or overall system compromise, according to Node4 research earlier this year. Threats are evolving very quickly, so it’s perhaps no wonder that IT departments are playing catch up.
But it surprises me just how many oversights are still being made on more basic security measures. Printers are connected to a network for years without default passwords being changed. IT teams are under pressure to get things working in the business, temporary measures often become forgotten and permanent. As well as promoting user awareness, IT needs to step up its own skills awareness.
3. Legacy investments
Security tools have evolved with the threat landscape, as businesses become increasingly reliant on technology and the internet. But it’s led to a reliance on legacy systems that have new security systems or software simply bolted on or run in isolation. Nothing is unified, and this means big gaps in protection.
For the IT department, it means getting to grips with an ever-increasing number of security tools. A Unified Threat Management (UTM) solution allows IT to become a master of just one security application, but with control over all the others. The barrier to adoption can be justifying return on investment. But it only takes one attack for a business to realise the value of UTM. The problem is, by then, the horse has often bolted.
4. No visibility of what exactly is happening on the network
The lack of awareness of security attacks is startling. It can take eight months for companies to realise they’ve even been breached, and recent Node4 research shows that 41% of IT managers don’t know how many intrusions they have suffered.
While ransomware attacks make newspaper headlines, hackers typically operate under the radar, whether it’s to use a company’s network for digital storage or for more malicious purposes, such as syphoning off emails or picking off new credit card details as they are added.
These hackers will try to hide all footprints and paths through your network, but unless you’re actively looking for these you won’t know. Don’t give them the opportunity. Use security information and event management (SIEM) for a birds-eye view of all your IT security, from a single point of visibility.
5. Inadequate IT processes
Software, operating systems, APIs, web servers, phones, printers and more. Today’s IT environment is expansive and varied, with hundreds of thousands of end points that must be protected. Such a vast threat landscape can be a living nightmare to manage, but many IT departments are adding to the pain.
I’ve frequently found situations where security and firewall settings have been set up by a third party whose contract has been cancelled, or an IT employee who has since left the business. Systems are in place, but no-one in the organisation knows how they’ve been set up or how to manage them. Documentation, security processes and clear ownership are a must for any IT department that doesn’t want to leave its business open to attack.
IT teams face considerable pressure to protect sensitive company data. The number of potential attack vectors is increasing day-by-day. Businesses are more connected than ever, with increasingly heterogeneous and complex networks, and multiple attack vectors.
But the costs getting security wrong can be considerable. Newer threats need to be met with fresh approaches. In an ever-changing threat landscape, IT must overcome today’s pitfalls and continuously assess and evolve its security approach.