Companies cannot afford to make mistakes when it comes to their cybersecurity. However, they do make them and often. No matter how insignificant the error or seemingly small these slips of the mind may be appear, they could have huge consequences.
No wonder then that the cybersecurity experts we’ve spoken to have grown tired of the security boo-boos businesses make. Luckily, they’ve also explained what the biggest cybersecurity mistakes are and provided some insights into how to avoid them.
Before we get to that, let’s discuss why this is so important.
Cybersecurity mistakes could prove costly
There is no shortage of examples to highlight how bad it can get when companies and organisations fail in their digital vigilance. A quick internet search will reveal just how ubiquitous the problem is.
In late 2020, it was revealed that Russian-based hackers had cracked into software company SolarWinds‘ IT infrastructure. The attack was a so-called “supply chain attack.”
A Kremlin-linked hacking group, commonly known as Nobelium or Cozy Bear, hacked into the company and installed a backdoor of sorts into a SolarWinds update. The malicious code went unnoticed and the update was rolled out to the enterprise’s customers. That enabled the hackers to compromise some 18,000 organisations, including the US government departments including Energy, the Treasury and Commerce.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataA similar attack occurred in July 2021 when Russian rogues REvil launched a cyberattack against IT vendor Kaseya. Up to 1,500 businesses worldwide were affected in the attack, including the payment systems at Swedish Co-Ops supermarkets and the IT networks of schools in New Zealand.
Cybersecurity is big business
With threats like these, businesses cannot afford to fail to set up rigid cybersecurity systems or to make mistakes.
The rapid digitalisation of the world over the past three decades is one of the reasons behind that. The more people live their lives online, the more opportunities cybercriminals have had had to leverage the trend for their own nefarious schemes.
Covid-19 exacerbated the situation. When governments imposed social restrictions to control the spread of the contagion, it inadvertently accelerated the shift towards a more digitalised world.
Companies who had previously been reluctant to accept hybrid or remote working had to accept the new normal where those solutions became ubiquitous.
People turned to streaming sites for their entertainment, to food delivery startups for their culinary fixes and to Amazon for basically everything else – all of it available through a few quick swipes on a phone or a tablet.
With the rapid digitalisation of the world, threat actors moved in, launched attacks and tried to leverage the health crisis for their own ends.
To avoid making any mistakes, companies invested in cybersecurity solutions. Not only did businesses buy their products, but investors also started to back startups in the sector with a vengeance
The cybersecurity boom was a fact. The pandemic propelled the amounts of venture capital (VC) funding raised to new heights.
In 2019, VCs injected $16.8bn into the cybersecurity sector across 747 deals, according to data from research firm GlobalData. In 2021, VCs baked 729 deals at a grand total of $25.3bn. As of August 8, investors have injected more than $9.6bn across 348 deals into the cybersecurity sector in 2022.
There was an expectation that Russia's invasion of Ukraine would drum up demand for cybersecurity services even further. After all, analysts and market watchers expected the next big war to be fought online.
However, contrary to experts' expectations, the cyberwar in Ukraine never came. Instead of duking it out in cyberspace, Russia and Ukraine has been fighting with boots and tanks and guns on the ground and missiles in the air.
That being said, hacktivist group Anonymous has endeavoured to embarrass Russia by launching a wave of small-scale attacks to cut through the Kremlin's propaganda machine.
Cybersecurity investments slowing down could also be linked to the overall slowdown of the tech industry. Over the first few months of 2022, tech stocks have fallen dramatically. That fact combined with the ongoing crypto crash has sparked speculation that we're about to face another tech bubble popping.
What are the most common cybersecurity mistakes?
Investment in the sector may have calmed down ever so slightly, but the threats haven't gone away. Neither has the need for companies to avoid making mistakes when with comes to cybersecurity.
To find out what the most common mistakes are and how to avoid them, Verdict reached out to cybersecurity experts hear what their biggest bug bears are.
So what are the mistakes cybersecurity professionals hate to see?
Sherrod DeGrippo, vice president for threat research and detection at Proofpoint
We regularly see a number of outdated assumptions about how threat actors use social engineering techniques in their attacks. For example, many individual users assume that all content shared from legitimate services like Google or Microsoft OneDrive is always safe, as this content appears routine and therefore raises no alarm.
This is a big misconception, as we are seeing more and more threat actors hijacking or mimicking these services as a major part of attacks. They know users are more inclined to interact with content that appears to originate from a source they know and trust and will see a higher success rate if malicious content shared is disgusted as an authentic messaging.
In fact, we saw 1,000 separate threat actor campaigns in 2021 leveraging these legitimate services, with Microsoft OneDrive the most frequently abused service by top-tier e-crime threat actors.
Another outdated assumption about cybersecurity is that all cyber threats are in digital form, on the cloud, web or over email. It’s common for people to think that email-based threats just live in computers.
However, we have seen more cybercriminals picking up the telephone and using this as an effective tool in their cybercrime arsenal.
In recent years, more threat actors have been using call centre-based attacks and these threats are unique as they require a significant amount of human interaction. The malicious emails do not contain links or attachments with harmful content – they require the victim to proactively call a fake customer service number in the email to engage with the threat actor.
We have observed over 250,000 of these threat types every day, and we can expect to see this number grow as malicious actors look to take advantage of the global cost of living crisis.
Jake Moore, global security advisor at Eset
One of the first places people find themselves in a quandary is when they are in the land of complacency. From new starters to CISOs, people can often quickly feel safe in the trust of either a good awareness programme or robust technology that has kept them safe so far.
However, the sophistication of attackers should never be underestimated, and organisations must never take their foot off the gas in preparing from and preventing an attack.
Phishing emails are still rife amongst businesses of all sizes and cause huge headaches for those around them once a campaign is successful. Ransomware is still forcing difficult decision making and there are still companies up and down the country who have not fully tested their protections, incident response plans or even backups.
Misunderstanding how cyberattacks fully work can put organisations on the back foot from the outset of an attack. It may not be necessary for everyone in the business to know the intricacies of an attack as it happens but the people whose job it is to protect and secure the perimeter need constant updates on the shifting threat landscape and conduct regular checks to test the inevitabilities.
Much like in the home where people may think a cyberattack won’t ever happen to them, this incorrect mantra can often be brought into the office with greater danger. Staff often value their work-life and company data in less regard than their own, so it is vital that their personal accounts are supported with the right knowledge in how to best protect accounts and data from increasing attacks.
Small businesses continue to believe they are not a target which makes them even more of a lucrative target. They may wrongly think that they are not worth the time or resources but with problems such as Log4j and other major vulnerabilities, such businesses simply get swept up in the other attacks that aren’t explicitly targeted.
The damage unfortunately can be even more catastrophic when small businesses tend to affect livelihoods in greater depth. They may also miss critical updates in a timely manner and also believe that straightforward antivirus is enough to keep hackers are bay, without fully understanding the desperate need for a full suite of security products.
Many companies also believe that attacks will begin from outside of the company walls. The most damaging attacks can often occur from within an organisation and be even more critical in its destruction. Companies are often left tunnel visioned without the thought of a bad apple intentionally or unintentionally already sitting inside the company system.
David Mahdi, chief strategy officer at Sectigo
Mistake number one [is to think that] ransomware is solely about malware. While ransomware is, technically, malware, thinking of it in those terms amounts to missing the forest for the trees.
When we look at what ransomware does, it leverages a user’s access within an enterprise to encrypt sensitive files – and often also steal them.
Ultimately, ransomware wants access to data, and it will typically compromise accounts/user identities to gain access to that data. So, ransomware is an identity and data problem that requires enterprises to consider cybersecurity more holistically, with identity-first security at its core.
Not long ago, enterprises could secure data with a fortress protected by perimeter tools such as firewalls and endpoint security tools like antivirus.
Yes, perimeter tools still have value. However, they aren’t enough anymore, as employees today work from a wide range of locations with remote access tools to interact with servers, applications, and cloud services. These changes in working practices have resulted in cybersecurity teams revising their thinking to treat identity as the new perimeter.
Rather than worrying about just malware detection, security and business leaders looking to improve their chances of surviving of a ransomware attack unscathed should establish strong identity-first and data security strategies.
This includes knowing where all the sensitive data resides, and monitoring user and machine access to that data in order to mitigate ransomware and other cunning cybersecurity attacks.
Mistake number two [IT limited] access will limit productivity. Influenced by past experiences, some security leaders fear any access limits, and believe least-privilege policies will get in the way of productivity. Or conversely, they may end up giving employees and entities too much access to applications and data.
Attackers love this, since most organisations tend to try to give as much access as possible, in an effort to provide employees everything they need to do their jobs. In case of a breach, this can lead to disastrous consequences. The focus must be on right-sized access. Reviewing this access should be done periodically to account for identity lifecycles, such as joiners, movers, and leavers.
Mistake number three [is to only] authenticating humans. We spend a lot of time and resources on authenticating humans, say with biometrics, and other passwordless techniques, but we cannot forget that devices and software, or machines, are our critical conduit into the digital world and need identities, too.
Many enterprises have an increasing number of machines – [such as ] devices, software, cloud services, applications, bots, etc. – that require identities.
It is also critical to note that, according to a report from CyberArk, "machine identities now outweigh human identities by a factor of 45x on average." Therefore, identity-first security must encompass both human and machine identities. Just one tiny mistake, such as an unsecured cloud data repository, can mean potentially unseen levels of data exfiltration via ransomware, phishing and other cyberattacks.
Mistake number four [is thinking] zero trust is the end goal. Zero trust is a cybersecurity framework that essentially states entities like humans and machines – software, workloads, containers, devices, bots, etc. – shouldn’t be trusted simply by default.
Zero trust is centered around digital identity, strong authentication, and other threat detection elements – critically, trust is never implicit. This framework is often hailed as the best solution to the many authentication and access problems enterprises face in today’s hybrid work environments.
Using a zero trust security framework is critical. However, it’s just the first step to reaching the end goal of establishing and maintaining ‘digital trust,’ the cornerstone of securely conducting digital business today.
Put simply, establishing digital trust looks like this: Don’t assume that we should trust everything, take a zero trust approach, and then establish and maintain digital trust. This requires a solid identity-first security framework deeply rooted in cryptography.
Enterprises should implement public key infrastructure (PKI) solutions as part of their zero trust environments. Digital certificates powered by PKI are the proven approach to secure and authenticate human and machine identities and ultimately establish and maintain digital trust.
Mistake number five [is to not prioritise] certificate lifecycle management. The fact that digital certificates are inextricably woven into all aspects of digital life presents an increasingly large operational challenge to enterprises because they must be properly managed at scale. While certificates are often manually managed in spreadsheets, this can create a management problem. Without proper automation and management, costly service and business outages can and have occurred.
While some enterprises have been investing in certificate authorities and certificate lifecycle management solutions to overcome the issues they face with human and machine identity management, it's important that enterprises do their research and look for solutions that are open and interoperable with their growing tech stacks.
Yaroslav Rosomakho, field CTO at Netskope
Until recently cybersecurity was often seen as disconnected from the rest of IT operations, as well as from an enterprise’s core business activities. Security professionals were typically left to operate in their own organisational structures, defining and enforcing policies with little interaction with other departments. As such, stakeholders often form dangerous misconceptions about cybersecurity and its best practices.
Misconception number one [is to think that] security should be isolated. Recent cybersecurity incidents have proven that breaches can have a devastating impact on businesses, even impacting stock prices.
Lack of communication between core business objectives and security departments, means the latter is left ill-prepared for potential attacks, and unable to identify and protect key data and digital assets.
Security teams should be the first to learn about any significant changes to the business, such as merger and acquisition activities, investments and divestments, outsourcing and insourcing. Each new business transformation carries risk, risk that must be identified and mitigated before disaster strikes.
Misconception number two [is to believe that] security is all about mitigation. It’s often tempting to imagine security as a black box appliance with a red blinky light.
The appliance keeps “bad” things out while allowing “good” things in. However, it’s obvious to nearly every non-technical decision maker that cybersecurity cannot be distilled into a single inline appliance. That said, the same mitigation-centric security approach is being applied by many businesses.
Of course mitigation is important. Known malware must be fought off, and employees should always avoid sharing data through unapproved communication channels. However, a significant proportion of security incidents are caused by known traffic patterns, and therefore require a sophisticated approach, rather than just a signature or fingerprint.
This is where visibility and analytics come into play. Modern [machine learning]-driven security platforms enable SOCs to investigate suspicious behaviour, and take the necessary steps to prevent a potentially devastating impact on the business.
Misconception number three [is to think that] cloud services automatically solve security challenges.
While any modern SaaS, IaaS or PaaS delivers some form of security it would be naïve to assume that such an integrated service would resolve all potential challenges. Yet, time and time again organisations exempt their trusted cloud services from inline security control.
As a result, cloud storage services and infrastructure are by far the most popular method for malicious actors to deliver malware, phish and exploit employee trust.
Organisations need to ensure that their cloud presence is secured not only with integrated capabilities, but that is also controlled and audited using posture management tools.
Ian Farquhar, Field CTO Global, Gigamon
There are three key things people get wrong about cybersecurity: managing the infrastructure they’re familiar with rather than what they actually own, failing to factor in the human element and forgetting defence in depth.
First, organisations are missing the point when it comes to zero trust. [Zero trust architecture] (ZTA) represents a huge change in the way we manage security infrastructure, and although people are starting to understand the reality of what zero trust means, they aren’t seeing this as a viable solution they can implement in their organisation.
In fact, the latest Gigamon report found that 22% fewer IT and security leaders in EMEA see zero trust as attainable compared to two years ago, and almost half (48%) in Australia believe it is unattainable.
The concern here is that [zero trust] has challenged us to do things differently and question our assumptions, but the opposite is happening; people are forgetting best practice and reverting to bad habits, using the same old solutions they have used for years. Logging, for example, is often cited when discussing the implementation of a [ZTA].
But the first thing an attacker will do upon entering a network is compromise logging. Crucially, [zero trust] requires us to take on board and question the trustability of everything, helping to counter the familiarity bias associated with legacy solutions that are no longer fit for purpose in the current threat landscape.
Second, people are forgetting the human factor. When security systems are built, the role of people is underestimated, if not entirely omitted, which is concerning considering many employees don’t see security as a part of their job.
This is something that needs addressing urgently given that 59% of global security decision makers agreed that the ransomware crisis has worsened in the last three months and 95% have experienced ransomware attacks in the last year.
Although user education is often implemented to tackle the human element of cybersecurity, if we rely on staff training as the primary security mechanism, humans will always fail. The good news here is that zero trust can help. The reason why it is such a powerful framework is because it involves constantly checking everything and always interrogating what controls are in place if another fails.
Third, defence is depth is fundamental. We know systems fail, and security mechanisms are no different, so the question is what catches failures when they do occur? Defence in depth is about having multiple controls in place, constantly evaluating risks, and being confident that when failure occurs, it does so securely. Deep observability – the addition of real-time network-level intelligence to amplify the power of metric, event, log and trace-based monitoring and observability tools to mitigate security risk, deliver a superior user experience, and ease operational complexity – is a precondition for [zero trust].
What’s great about deep observability is it’s the best way of looking at the trustability of any resource on the network, be it a system, application or device, and assessing its behaviour. In doing so, defence in depth can be achieved.
Laurie Mercer, security engineer at HackerOne
People often overestimate the abilities of automated cybersecurity tools and technology, while underestimating the ingenuity of bad actors. Cybercriminals are looking for easy opportunities to access vulnerable systems and many fail to realise that some of the most dangerous vulnerabilities are often missed by automated monitoring tools.
Worryingly, as found in our 2022 Attack Resistance Gap Report, only one-third of enterprises monitor less than 75% of their attack surface — and this leaves a door wide open to bad actors.
Despite awareness of attack surface gaps increasing, many remain complacent in their approach to cybersecurity. Many things contribute towards a company’s attack surface and some of these factors aren’t always visible. In order to have the best protection in our current cybersecurity climate, organisations need to also collaborate with security experts like ethical hackers. The hacking community can better stay ahead of new hacking techniques than automated tools and also better understand the mindset and motivations of bad actors.
Take Log4Shell for example. The Log4j vulnerability is one of the most severe flaws that has been found by security experts and once it was discovered, a global community of hackers worked around the clock to provide real-time data of who was vulnerable and where exactly these organisations were exposed.
In total, 227 of HackerOne customers were affected by the Log4j vulnerability, 415 bounties were set up and altogether the hackers were awarded a total of $1,312,387.
With this knowledge, affected organisations could remediate vulnerabilities quickly before being breached. Speedy identification and remediation is key when mitigating the impact of Log4Shell, and this example clearly demonstrates why organisations should work with hackers to ensure that their networks, and entire software supply chain, is protected from sophisticated threat actors.
Another misunderstanding that people have about cybersecurity are resources - many security teams fail to realise they already have the tools required for security training. Using current and previous vulnerabilities, organisations can learn from past security mistakes to reduce risk and augment internal security training.”
GlobalData is the parent company of Verdict and its sister publications.