(1) Neglecting the Simple Basics of SecurityThis is arguably the most important and encompassing point on this entire list and maybe in the entire realm of cybersecurity. Basic infrastructure is simple and very rarely if ever overlooked but even more basic than is really just general network configuration. From simple login, lock-out, and password policies to local admin account management, user access controls, and even secure device configuration. Bringing cybersecurity back to the basics is often all that is needed for a strong and safe foundation poised for expansion with an organization. One of the most common current issues with this is AWS S3 bucket misconfigurations leaving sensitive data open to the internet with virtually no protection.
(2) Relying on Just a Firewall and AntivirusFirewalls and Antiviruses are simply not enough to prevent persistent and advanced threats. They are limited to the role of PROTECTION when it comes to cybersecurity. As the threat landscape shifts, DETECTION is becoming increasingly important. At the end of the day, you cannot combat what you can’t see and if your protection fails to stop a malicious actor, you become a sitting duck. When you hear of a company that didn’t know of a breach for months, it’s because they are not properly DETECTING threats. Sadly, by that time it is usually too late to mitigate the damage. It is well worth it for any organization to evaluate whether they need a SIEM. It is the logical next-step for cybersecurity beyond the basic protection measures.
(3) Assuming you are completely safeBy now it is pretty obvious that no network is completely safe. If you truly believe you have an unhackable network please read the first 2 paragraphs of Kevin Mitnick’s LinkedIn profile. If there is a will there is always a way when it comes to breaking into a network. That is why you can’t only rely on protection to keep you safe. Detection and response are also key.
(4) Not Reacting to Compliance and Audit FeedbackCompliance is becoming increasingly demanding and precise. Besides the fact that non-compliance risks fines and other regulatory repercussions, it is a tell-tale sign of a vulnerable organization. Cybersecurity is heavily governed by compliance that is derived from frameworks. These frameworks are designed based on copious amounts of research and experience combined with industry-specific needs. Compliance exists for an important reason even though it never seems to be the most fun part of cybersecurity. In Verizon’s 2017 PCI DSS report every single company that had experienced a breach was not in full compliance with PCI DSS requirements.
(5) Assuming You Are Not a TargetThinking you have impenetrable cybersecurity is one thing, but thinking you won’t be targeted at all can be even MORE dangerous. Many organizations think they are too small to be a target and this naive mindset leaves many reaped of their data, credibility, and eventually business. Depending on your size and budget there is definitely a line as to how robust your security has to be. No matter what size the company, best practices can still be implemented and will keep any organization in the best possible shape.
(6) Underestimating Required Security ExpertisePeople often fail to understand the necessity for specific cybersecurity expertise. The biggest misconception is the idea that IT folks fully understand security when IT and security are two very different industries with overlap. It is very possible that an IT professional is well-versed enough in cybersecurity to cover the basic needs of both but often times that is like putting a square peg in a round hole or stretching that individual too thin. For proper and effective security you need dedicated professional cybersecurity expertise. A lot of organizations are calling it quits on wasting resources trying to hire someone and working with an MSSP.