Five Most Common Cyber Security Mistakes; which are you guilty of?
To many, cyber security is a bit of a mystery. This lack of understanding has created many misconceptions among management about how to approach cyber security. From our years of experience, we have seen the following five cyber security mistakes repeated over and over – often with drastic results.
1. Mistake: “We have to achieve 100 percent security”
Reality: 100 percent security is neither feasible nor the appropriate goal. Almost every airline company claims that flight safety is its highest priority while recognizing that there is an inherent risk in flying. The same applies to cyber security. Whether it remains private or is made public, almost every large, well-known organization will unfortunately experience information theft. Developing the awareness that 100 percent protection against cyber crime is neither a feasible nor an appropriate goal is already an important step towards a more effective policy, because it allows you to make choices about your defensive posture. A good defensive posture is based on understanding the threat (i.e., the criminal) relative to organizational vulnerability (prevention), establishing mechanisms to detect an imminent or actual breach (detection) and establishing a capability that immediately deals with incidents (response) to minimize loss.
In practice, the emphasis is often skewed towards prevention – the equivalent to building impenetrable walls to keep the intruders out. Once you understand that perfect security is an illusion and that cyber security is “business as usual,” you also understand that more emphasis must be placed on detection and response. After a cyber crime incident, which may vary from theft of information to a disruptive attack on core systems, an organization must be able to minimize losses and resolve vulnerabilities.
2. Mistake: “When we invest in best-of-class technical tools, we are safe”
Reality: Effective cyber security is less dependent on technology than you think. The world of cyber security is dominated by specialist suppliers that sell technical products, such as products that enable rapid detection of intruders. These tools are essential for basic security, and must be integrated into the technology architecture, but they are not the basis of a holistic and robust cyber security policy and strategy. The investment in technical tools should be the output, not the driver, of cyber security strategy. Good security starts with developing a robust cyber defense capability. Although this is generally led by the IT department, the knowledge and awareness of the end user is critical. The human factor is and remains, for both IT professionals and the end user, the weakest link in relation to security. Investment in the best tools will only deliver the return when people understand their responsibilities to keep their networks safe. Social engineering, in which hackers manipulate employees to gain access to systems, is still one of the main risks that organizations face. Technology cannot help in this regard and it is essential that managers take ownership of dealing with this challenge. They have to show genuine interest and be willing to study how best to engage with the workforce to educate staff and build awareness of the threat from cyber attack. This is often about changing the culture such that employees are alert to the risks and are proactive in raising concerns with supervisors.
3. Mistake: “Our weapons have to be better than those of the hackers”
Reality: The security policy should primarily be determined by your goals, not those of your attackers. The fight against cyber crime is an example of an unwinnable race. The attackers keep developing new methods and technology and the defense is always one step behind. So is it useful to keep investing in increasingly sophisticated tools to prevent attack? While it is important to keep up to date and to obtain insights into the intention of attackers and their methods, it is critical for managers to adopt a flexible, proactive and strategic approach to cyber security. Given the immeasurable value of a company’s information assets, and the severe implication of any loss on the core business, cyber security policies need to prioritize investment into critical asset protection, rather the latest technology or system to detect every niche threat. First and foremost, managers need to understand what kinds of attackers their business attracts and why. An organization may perceive the value of its assets differently than a criminal. How willing are you to accept risks to certain assets over others? Which systems and people store your key assets, keeping in mind that business and technology have developed as chains and are therefore codependent on each other’s security?
4. Mistake: “Cyber security compliance is all about effective monitoring”
Reality: The ability to learn is just as important as the ability to monitor. Reality shows that cyber security is very much driven by compliance. This is understandable, because many organizations have to accommodate a range of laws and legislation. However, it is counterproductive to view compliance as the ultimate goal of cyber security policy. Only an organization that is capable of understanding external developments and incident trends and using this insight to inform policy and strategy will be successful in combating cyber crime in the long term. Therefore, effective cyber security policy and strategy should be based on continuous learning and improvement.
- Organizations need to understand how threats evolve and how to anticipate them. This approach is ultimately more cost-effective in the long term than developing ever-higher security “walls.” This goes beyond the monitoring of infrastructure: it is about smart analysis of external and internal patterns in order to understand the reality of the threat and the short-, medium- and long-term risk implications. This insight should enable organizations to make sensible security investment choices, including investing to save. Unfortunately, in practice, many organizations do not take a strategic approach and do not collect and use the internal data available to them.
- Organizations need to ensure that incidents are evaluated in such a way that lessons can be learned. In practice, however, actions are driven by real-time incidents and often are not recorded or evaluated. This destroys the ability of the organization to learn and put better security arrangements in place in the future.
- The same applies to monitoring attacks. In many cases, organizations have certain monitoring capabilities, but the findings are not shared with the wider organization. No lessons, or insufficient lessons, are learned from the information received. Furthermore, monitoring needs to be underpinned by an intelligence requirement. Only if you understand what you want to monitor does monitoring become an effective tool to detect attacks.
- Organizations need to develop an enterprise-wide method for assessing and reporting cyber security risks. This requires protocols to determine risk levels and escalations, and methods for equipping the board with insight into strategic cyber risks and the impacts to core business.
5. Mistake: “We need to recruit the best professionals to defend ourselves from cyber crime”
Reality: Cyber security is not a department, but an attitude. Cyber security is often seen as the responsibility of a department of specialist professionals. This mindset may result in a false sense of security and lead to the wider organization not taking responsibility. The real challenge is to make cyber security a mainstream approach. This means, for example, that cyber security should become part of HR policy, even in some cases linked to remuneration. It also means that cyber security should have a central place when developing new IT systems, and not, as is often the case, be given attention only at the end of such projects.
Please feel free to download our Thought Leadership, Cyber security: it’s not just about technology, for more insights.