Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
Today’s organizations understand the importance of cybersecurity. They know cyberattacks and data breaches are frequent, more targeted and more dangerous. They recognize the risks of ransomware, the disruption it can cause and the damage it can inflict on organizations.
Though many businesses have a level of technological defenses in place, threats continue to evade security controls, and breaches continue to succeed. Why is that the case?
Five Common Cybsersecurity Mistakes
Let’s understand the top mistakes organizations make with cybersecurity.
1. Not Taking The Right Leadership Approach
I’ve noticed leaders often take two types of approaches toward cybersecurity: They care about either compliance or security. If leaders only devote attention to compliance, then most likely security will suffer. It’s as simple as that.
One can certainly try to educate leadership; however, if their mindset is fixated on compliance, it might push things too far in that direction, making things worse for security teams.
2. Not Measuring Your Security Baseline
One might admit, we know our security is broken, so what’s the point of testing or evaluating our defenses? If you will not assess the security posture, including the state of tech controls, vulnerabilities and weaknesses, how will you determine which controls are needed and in what priority? How do you demonstrate progress toward something without defining a baseline?
3. Not Understanding The Security Context
Many security pros live in their own bubble. They follow commonly used security measures. Threats appear identical, whichever angle they look at. They seldom step outside to understand their own business, their own security problems and their own security use cases.
Instead of walking the halls and understanding the business and the security mindset of employees, many security pros deploy blanket tools, processes and practices that are standard across the industry.
4. Not Staying Current On Threat Intelligence
Organizations are failing to recognize that threat intelligence is failing them. Even though the adoption of threat intelligence skills, platforms and budgets are on the rise, it’s worth noting that some businesses are spending time and energy on threats that were discovered months ago.
What’s more, security teams that integrate third-party intelligence tools are often bombarded, overloaded with false-positive alerts, which end up exacerbating the existing problem. Meanwhile, attackers have already moved past those vectors and are using new tools and methods to attack and infiltrate.
5. Not Focusing Enough On The Human Aspect Of Security
A majority of cyberattacks and breaches can be traced back to human-related errors. Still, most security teams don’t invest in educating and reminding employees about the evolving nature of threats, how to deal with suspect communications, the importance of staying cautious and vigilant and the consequences of their actions on the organization. It is estimated that nearly one-third of organizations do not offer cybersecurity training to their employees.
How Organizations Can Avoid These Mistakes
Although security isn’t a one-size-fits-all model, it’s important that organizations adopt the following best practices:
1. Building Critical Thinking
As technology evolves, cybersecurity will too. The information, skills or intelligence we have today will no longer be relevant tomorrow. Even if organizations leverage artificial technology to scale threat detection and automation to a level previously unimaginable, AI will still depend on human intervention to drive that capacity. That’s why critical thinking will always be a component in the evolution of cybersecurity.
2. Improving Agility
Think about what is needed to learn, improve or defend your company over the next six to twelve months and what actions are being proposed to achieve those results. Then, work on adjusting your agility and maintaining the mental flexibility to keep doing that.
3. Knowing Your Baseline
Measure your security baseline consistently to better understand your security posture and quantify progress. You will need this to build, monitor or improve security strategy—whether it’s deploying a tool, enforcing a policy, laying out a process or improving security awareness among employees.
4. Using Your Own Context And Intelligence
Step out of the office, talk to people and build relationships across all levels. Understand employee challenges and the risks and opportunities that lie ahead. While it’s important to understand the technologies and mitigations that can help, it is equally important to look within and understand the relevance of those tools within your own security environment.
5. Focusing On Culture
Security must be top of mind in employees. It should be their second nature; something that comes naturally to them whenever they are interacting online. The idea behind this is to leverage human intuition and reaction as a kind of human firewall, so that threats can be detected, reported and intercepted much earlier in their lifecycle, before they can infiltrate and cause damage.
Having the right security technology is only one piece of the security puzzle. Having leadership that backs a security-oriented culture is a major piece, along with measuring security baselines, understanding the security context, staying current on threat intelligence and focusing on the human aspect of security.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here