Each time we hear about a new security incident at a major company, we assume the breach succeeded either because of its high level of sophistication or because attackers have been “footprinting” their victim for a very long time and found the weakest link in the security chain.
Truth is, security breaches are a direct result of a poorly configured cloud gateway between local and public cloud infrastructures, poor authentication methods or even because someone in the organization decided they were “not important enough” to be considered a valuable target for attackers.
A couple of common enterprise security misconceptions have more than once had dire consequences for both customer privacy and corporate data. If, among the following seven delusions, you identify at least one that you’ve adopted yourself, maybe it’s time to reassess your company’s security, practices and beliefs.
1. You’re not important enough to be targeted
Things are changing due to recent media attention to cyberattacks and company data losses, as small companies have begun expressing concerns about their security mechanisms, with some 60 percent claiming they will take serious actions to mitigate threats, according to recent trends.
This is probably one of the most common ideas that companies get stuck on, as they believe their data is not valuable enough to be worth the effort of a security breach. Nothing could be further from the truth. Any type of data – from HR records to billing receipts and even telemetry information – could be used in larger spearphishing attacks or social engineering schemes.
2. Public cloud more easily breached - Cloud providers responsible for security
The public cloud is believed to be insecure and prone to a wide range of attacks aimed at stealing personal and sensitive data. The truth is that, quite often, security experts fail to properly configure cloud environments and applications, leaving them exposed to attacks.
It’s always easier to blame someone else for security shortcomings, and it’s usually public cloud providers who take the fall for breaches, despite offering a wide range of tools and solutions for enforcing security. They are mainly responsible for making sure the IT infrastructure and applications are always operational – with minimum downtime.
The end-user (or in this case, the company) that makes use of public clouds should do everything in its power to secure and protect that data, along with setting up security mechanisms for preventing unauthorized access to it.
3. Password strength is key
With more than 44 percent of consumers using the same password for multiple accounts, studies have shown they also use duplicate passwords for nearly three quarters of their accounts. In the corporate world, strong authentication is often believed an acceptable security practice, but, without multifactor authentication, access to critical systems can easily be lost.
Believing that a single strong password can keep intruders at bay is another misconception. In the context of securing cloud data, password strength coupled with multifactor authentication is vital in toughening access to vital systems, applications and critical assets.
4. Antivirus and Firewalls are bulletproof
More than 62 percent of IT professionals believe traditional security solutions issue too many false positives and 38 percent believe too much uncorroborated data is collected, according to research firm Enterprise Management Associates (EMA).
Firewalls and security software are bare necessities to protect your network and data, but don’t be fooled into thinking that simply deploying these on your infrastructure will keep any sophisticated threats or attacks away. Today’s threats are far more complex and the attack surface has broadened to include everything from simple data-harvesting malware Trojans to ransomware and advanced persistent threats delivered via any type of device connected to the company network.
New threats not only that exhibit morphism capabilities that make it highly unlikely for traditional security solutions to detect malicious payloads, but also leverage unpatched software vulnerabilities to breach critical systems. A layered approach to security should include a lot more security analytics to detect and respond to new or unknown threats.
5. Single magic bullet solution against targeted attacks
This goes hand-in-hand with the previous mistaken belief that companies need only adhere to best practices to keep data safe. Although it’s highly advisable that best practices should be adhered to, countering today’s threats can only be mitigated by setting in place multiple security mechanisms and correlating all relevant information.
No single solution can protect against targeted attacks, as hackers spend a large amount of time doing reconnaissance to find the “sweet spot” where the security chain is most vulnerable. To this end, the concept of a silver bullet is more of a silver shotgun shell, meaning that multiple and varied security technologies need to operate together to increase the cost of attack.
6. Software updates and patches prevent attacks
Although more than 35 percent of security experts make installing software updates a top security practice, according to Google research, targeted attacks usually exploit software vulnerabilities to which patches have already been issued.
Although installing the latest updates and patches will reduce the risks of attackers exploiting know vulnerabilities, there’s also the issue of timely deploying these updates within the entire company – not after a couple of months – and also the risk of attackers using unknown vulnerabilities – also known as zero-day vulnerabilities – to compromise a particular company system or endpoint.
7. Lack of security features
While some companies might argue that security solutions lack the proper features for guaranteeing and enforcing protection against attacks, the matter of “rogue IT” is one reason internal company data gets smuggled and why internal security gets breached. A lack of proper restrictions and policies to discourage users from installing or using tools not approved by IT may lead to security incidents or even open the door for attackers.
Blaming security vendors is often common in security incidents, but the problem usually lies with internal procedures and practices. BYOD strategies are the most vulnerable to security breaches, considering that more than 74 percent of organizations allow or plan to allow employees to connect their personal devices to the company’s network and resources, according to Tech Pro research.
As hard as it may be to accept, companies need to take responsibility for security breaches and shift the paradigm from assigning blame to proactively designing incident response plans and identify their most valuable assets to protect.
The mental discipline needed to avoid falling prey to the above security misconceptions shouldn’t be that difficult to pull off, especially if you value both your customer and company data.