By: Stewart Collier
For many people, mentioning the term cybersecurity typically conjures up the Hollywood vision of an individual in a dark room running sophisticated code and typing furiously on a keyboard to
access critical government data or to steal money from big financial institutions. This vision, though, is not reality. The truth is that cyberattacks come in a variety of shapes and sizes, from
highly sophisticated and potentially state-sponsored initiatives like Stuxnet or NotPetya to arbitrary probing done by individuals with limited resources. In fact, the 2018 Verizon Data Breach Investigations Report found that 58 percent
of data breach victims are small businesses whose cybersecurity vulnerabilities are exploited by automated attacks designed to probe at random.
As a result, most enterprise breaches are not the result of cyber criminals inventing new, high-profile ways of doing damage. Rather, they are due to shortfalls in the development and enforcement
of holistic, layered security processes and protocols. Many enterprises in the US and across the world buy into the myth that buying and installing software like antivirus programs or machine
learning platforms can keep them safe. Unfortunately for them, this couldn’t be further from the truth: software is but a tool to support a comprehensive cybersecurity plan. From my perspective,
a strong cybersecurity strategy must revolve around establishing the right combination of physical protection, quality assurance, regulatory compliance and client buy-in to overcome present and
future cyber dangers. In this article, we will examine the following topics:
- Common gaps in enterprise cybersecurity practices
- How to approach the resolution of cybersecurity weaknesses
- Emerging trends in cybersecurity and what enterprises need to watch out for in the future
Although I come to this article from a large data center provider perspective, the topics discussed are applicable for all sizes of organizations, whether they run their own on-premise data
centers or contract with a third-party provider. At the end of the day, the integrity and safety of the data (and that of their customers) is what matters most, and that is why there is a
country-wide necessity to think bigger picture.
When it comes to identifying gaps in cybersecurity, it is often a lack of basic security protocols combined with a failure to think holistically about IT assets and business continuity that gets
enterprises in trouble. Here is a brief list of just some of the issues that I witness the most:
Weak Password Utilization
While having strong passwords is a basic aspect of a good cybersecurity strategy, many organizations often do not do enough in terms of company-wide training to establish password best practices.
In fact, I have seen many individuals either using the same password for multiple protected files or programs or failing to change passwords regularly. While an often-cited best practice for
refreshing passwords is 90 days, I personally prefer a 30-day window. This is because enterprise data breaches do not always come from the outside, yet another misconception that lands companies
in hot water.
Assuming Attacks Always Come from External Sources
While high profile attacks from outside hacking groups like Anonymous or Fancy Bear get a lot of attention, insider threats can account for up to 75 percent of data breaches. Sometimes a breach can be the work of an unhappy employee
looking to leave a mark on the company he or she dislikes. At other times, it can be simply the result of an employee’s lack of training as to his or her role in upholding the company’s
cybersecurity plan and goals. In fact, at a recent Black Hat security conference, organizers reported that up to 84 percent of all cyberattacks are due to human errors such as failing to apply a patch,
using weak passwords or even leaving devices unlocked in unsafe areas.