Cybersecurity ‘bad practices’ can seriously hurt your business. They leave you exposed to hacks and data breaches, and can be extremely costly in the long run.
To keep your company safe from cyber threats, it's important to start breaking these cybersecurity bad practices today. Becoming aware of the mistakes you and your employees are making and taking steps to improve will pay dividends in terms of boosting security.
Here, we look at some of the most common missteps organizations make when it comes to cybersecurity, and provide tips on how to fix them.
1. Using Antiquated and Unpatched Systems
IT systems and software require updates for several reasons, including keeping pace with technological advances, making improvements, and patching security flaws. Of course, replacing hardware and updating software requires resources, and can often lead to downtime as well as training requirements. As a result, it’s common for businesses to hold off implementing updates.
This is a mistake in the long run, as outdated systems and software can lead to many risks, even if they appear to function sufficiently. Cybercriminals can leverage security vulnerabilities to launch attacks, gain access to sensitive information, cause business disruptions, and more. In addition, older systems are more liable to failure, leading to loss of or damage to data, or bugs that impact other network components.
The security team must stay abreast of updates and apply them promptly. Be sure to sign up for alerts from all software manufacturers and opt for automatic updates where appropriate. It’s also necessary to review your infrastructure periodically and replace any antiquated systems or hardware that could cause security risks.
2. Failing to Back Up Data
Another common mistake is failing to back up data properly. This can lead to serious problems if your system is attacked or subject to other technical issues. Maintaining backups limits the risk of data loss and can enable you to recover quickly after a cyber incident.
Backup requirements vary in terms of type, number, and frequency. For example, some data can be backed up weekly, whereas other information types require hourly backups. Each organization should assess its individual needs according to company policies and industry regulations.
There are multiple options for backing up data, with the most suitable mode again depending on the specific needs of the organization. While cloud backup systems are highly convenient and increasingly popular, local backups are necessary in some cases. Ideally, hard-drive or local server backups should be kept physically separate from the original data in case of theft or damage (for example, due to fire or flood).
3. Thinning Out Security Staff
Many businesses make the mistake of thinking they don't need a dedicated security team. When it’s time to make cuts, it’s common for organizations to look at perceived non-essential departments to pull from. But with today’s threat landscape, it’s more imperative than ever to bolster security with a robust team of experts.
Ultimately, a thinned-out security staff can lead to long-term issues, including unpatched systems and a lack of security awareness among employees. The result is an increase in the frequency and severity of cyber incidents, including those resulting from human error, misconfigurations, and malicious vulnerability exploits.
Deploying a solid IT security team does require investment but is rewarded in terms of preventing or minimizing losses from incidents, and protecting the company’s reputation. If you’re unable to carry out necessary cyber responsibilities in-house, you can consider outsourcing your cybersecurity. Employing an external cybersecurity team gives you access to highly-trained and experienced professionals as and when needed. Whether you need a vCISO or other highly-efficient cyber professionals, there are firms, like Intersec Worldwide, that can help.
4. Limiting IR Investigation Scope
When an organization experiences a data breach or cyberattack, it's important to investigate the incident fully. However, many businesses make the mistake of limiting the scope of their investigation. All too often, decisions are driven by insurance companies or attorneys instead of digital forensics and incident response teams.
This means they don't collect all the evidence needed, making it difficult to find out exactly what transpired and how to prevent it from happening again. Lack of evidence limits remediation so incidents are never fully resolved and you're left vulnerable to future attacks.
This is where proper IR planning comes into play. Investigations should cover all core aspects including preparation, detection and analysis, and containment and recovery.
5. Limited Root Cause Analysis
The National Institute of Standards and Technology (NIST) defines root cause analysis as, “A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.”
Limited root cause analysis can lead to vulnerabilities and risk exposure. It can start with the failure to identify indicators of compromise, incomplete malware analysis, and focusing too heavily on malware, explained in more detail below.
Failure to Identify IOCs
Indicators of compromise (IOCs) provide forensic evidence of potential system or network intrusion attempts or other malicious activities. IOCs might include unusual inbound or outbound traffic, activity from odd geographic regions, unexplained privileged user activity, or suspicious configuration changes, among other anomalies. These indicators can be used to analyze the techniques and behaviors of a particular malware.
It can be resource-intensive to fully investigate all IOCs, which is why some organizations miss this crucial step. However, it's essential to look at the bigger picture. IOCs provide intel that improves the organization’s ability to respond to and remediate future attacks.
Security personnel should place extra emphasis on leveraging the vast number of tools available to help identify all IOCs. Once identified, these indicators should be included in ongoing monitoring so potential attacks can be thwarted as early as possible.
Performing Incomplete Malware Analysis
Another common mistake is failing to analyze malware properly. Simply categorizing malware is not enough, and you need to fully understand the malicious software to ensure it is completely removed. Again, having comprehensive knowledge helps to protect against future attacks adequately.
Thorough malware analysis involves investigating the purpose and behavior of the file or URL in question. This process aids incident responders in determining the severity and scope of the incident, including which IOCs to look for. It also helps improve alert systems for future threats.
Malware analysis can take several different forms:
- Dynamic analysis uses a safe environment (a sandbox) to execute the suspicious code so that the malware can be viewed in action.
- Static analysis doesn’t require running the suspicious file and instead examines indicators such as the file name, strings (e.g. IP addresses), hashes, and domains.
Both methods have advantages and disadvantages, so it’s common to use a hybrid analysis approach that combines the two techniques.
Focusing Too Heavily on Malware
While malware analysis is necessary, it's important to remember that the presence of malicious software is usually a symptom of a larger problem. Many organizations place too much emphasis on determining what malware is causing an issue instead of striving to uncover the root cause.
Malware typically enters systems at the hands of a bad actor, for example, by exploiting system vulnerabilities or duping an employee into executing malicious code.
Finding the root cause can help you decide on the correct course of action to help prevent similar incidents in the future. For example, the fix could be as simple as installing software updates or implementing an employee training program on avoiding phishing scams.
6. Lacking Enterprise Architectural Awareness
Many organizations fail to place enough emphasis on having full visibility of their networks. For example, packet loss (where transmitted data packets fail to reach their intended destination) can be an indicator of a security breach, software bug, or problem with network hardware. However, if a company isn’t monitoring packet loss properly, these issues could easily be missed.
Another visibility issue occurs when logs are not maintained properly. This can make it difficult to investigate and determine the extent and root cause of incidents.
Comprehensive network monitoring should be a priority for all organizations. This can ensure problems are spotted as early as possible and can be remediated appropriately.
7. Removing Antivirus or Endpoint Protection
It's essential to have at least a robust antivirus solution and endpoint protection platform (EPP) in place. These tools play critical roles in protecting against cyber attacks and other information security incidents.
But many businesses make the mistake of removing their AV or EPP because of their operational impact, for example, slowing down systems or making certain sites or applications inaccessible. We see these indispensable tools being disabled or removed, or sometimes not even installed in the first place. This can have serious consequences, as it leaves you vulnerable to attack.
Make sure to understand the risks before making any decisions about your AV or EPP. There are often changes that can be made to the software settings, for example, whitelisting certain websites and tools, to alleviate operational concerns and avoid disruptions.
Your best course of action is to maintain AV continuity. Make sure the threat data and endpoint agents are continually updated. In addition, always ensure the endpoints are connected and communicating, and make sure there is no disruption of the endpoint agent activity.
8. Lacking Holistic Incident Response Planning
Incident response (IR) planning is a critical component of a mature cybersecurity program and one that can protect your organization from financial, organizational and reputational harm. Having a holistic IR plan and a defined incident response team (IRT) is crucial to success. Moreover, a successful incident response place also includes:
- Clearly defined policies and procedures
- Incident response plan implementation training
- Employee education on cybersecurity best practices
- Identifying the proper skill sets of your team and tasking those individuals with roles on the IRT
- Understanding required notifications (both internal and external)
- Crisis management
- Knowing when and how to involve experienced legal counsel
- Understanding the details of cyber liability insurance coverage, which includes:
- Working with your risk manager to determine the application of any cyber risk liability products
- Knowing that limiting IR response to the insurance policy may leave you with added costs in the aftermath of a security incident
- Executive sponsorship to ensure funding
Bad Habit Key Takeaways
Cybersecurity is far from simple. But that doesn’t mean you should let bad habits get in the way. The fact that cybercrime is only going to become more sophisticated and widespread in the coming years means you need to be even more diligent in safeguarding your data.
Now is the time to identify your weak spots so you can make the necessary improvements before it’s too late. If you can weed out these behaviors, you’ll quickly be on your way to a more secure, resilient organization.
Want to find out more about any of the points we’ve discussed? Interested in a penetration test to highlight system vulnerabilities? Contact us today to speak to one of our dedicated experts.
