The Most Overlooked Elements of Preventing Cyberattacks Businesses Should be Aware of
To help defenders close the gaps, we asked more than 30 experts what the most overlooked element of preventing cyberattacks is.
34 Cybersecurity Professionals & Business Leaders Reveal the Most Overlooked Elements of Preventing Cyberattacks that Businesses Should be Aware of
Businesses generate, collect, and store more data today than ever before. However, with the proliferation of cloud computing and the growing number of applications and devices businesses use, it’s also increasingly challenging to manage and secure that data — and cybercriminals are taking advantage, carrying out an unprecedented number of cyberattacks against businesses of all sizes. That’s why it’s crucial for businesses to be aware of commonly overlooked elements that can help prevent cyberattacks, such as:
- Leveraging a data loss prevention solution
- Providing robust employee cybersecurity awareness training
- Developing policies and processes for handling sensitive data
- Utilizing a Security Operations Center (SOC)
- Investing in continuous cyber learning for cybersecurity professionals
- Cultivating a cybersecurity culture
- Requiring strong passwords that are changed often
- Carefully vetting third-party software
- …and more
To gain some insight into these often-overlooked elements that can help your business prevent cyberattacks and what methods you should employ to close the gaps, we reached out to a panel of cybersecurity experts and business leaders and asked them to answer this question:
“What's the most overlooked element of preventing cyberattacks that businesses should be aware of?”
Meet Our Panel of Cybersecurity Pros & Business Leaders:
Keep reading to learn what our panel had to say about the key strategies you might be overlooking to prevent cyberattacks.
Gary Orenstein is the Chief Customer Officer at Bitwarden and a password security expert.
“One of the top causes of cyber breaches in the workplace is…”
Online scams have become increasingly sophisticated, making it hard for those with an untrained eye to spot phishing emails or simply know when to question information requests from what may appear as colleagues or credible contacts.
So knowing that, one of the most overlooked (and most basic) elements of preventing a business cyberattack is strong, unique passwords. Recent research shows employees are still choosing weak passwords, putting their organizations at risk by bypassing more secure passwords for convenience.
Employees making good password choices can make all the difference in protecting an organization from cyber breaches. But that’s easier said than done, as employees are tasked with remembering numerous passwords for all the accounts they have access to, so it's little surprise that weak passwords are being chosen.
To ward off cyber breaches, passwords must be secure, complex, and unique for every account or app employees can access. Businesses can help facilitate that by offering password management as an option for employees, so they don’t have to take that responsibility solely.
Ben Michael is the VP of Operations at Michael & Associates.
“Businesses often overlook the importance of the simplest, most basic security measure when it comes to cybersecurity…”
Many businesses will implement efforts like automated cybersecurity and other steps to strengthen their data protection, but then they’ll have the same short, easy-to-guess password across all of their accounts.
Getting past a password is one of the easiest ways a hacker can break into an account, which is why strong passwords are so crucial. Businesses should really be changing all of their passwords monthly (or quarterly at the latest), and those passwords should be long, complicated, and never repeated across more than one account.
To make all of this easier and more manageable, they should get a secure password manager, such as 1Password, and use multi-step authentication.
As vice president of customer success for Cosant Cyber Security. Mark leads Cosant in helping clients plan and implement cybersecurity plans to protect their stakeholders. Mark has a unique combination of technical and business experience, including BSEE and MBA degrees, and as a Certified Information Systems Security Professional (CISSP).
“This element is remarkably simple. Businesses, particularly small and medium businesses, overlook…”
Creating policies and processes to address cybersecurity. An effective cybersecurity program combines people, process, and technology. Most businesses give short attention to the first two and focus predominantly on technology, such as firewalls, multi-factor authentication, and encryption.
However, most successful cyber breaches originate from people making mistakes. These are based on phishing, social engineering, and credential compromise, and result in business email compromise (fraud) or ransomware. The most effective prevention for these is establishing and implementing effective policies (clearly defined expectations and rules) and procedures.
While technology is necessary, without management support and training, employees make mistakes and businesses get compromised.
An experienced IT professional, Andy Larkum specializes in making the implementation ISO 27001-compliant Information Security Management Systems (ISMS) relatively painless and strangely enjoyable! He also conducts ISO 27001 audits on behalf of several certification bodies.
“The purist answer is that you can't prevent cyberattacks, you can just reduce the chance of them being successful…”
But that's a rather obnoxious answer! So the better answer is training. Pound for pound, getting the right kind of training is almost certainly the smartest investment your business can make to protect you from cyberattacks.
There's a lot of debate in the infosec arena as to whether your employees are your first or last line of defense. The truth is that they're both:
- If a threat has reached your employee, then all of your technical controls to that point have failed, and your employee is now the last line of defense.
- If an employee clicks on a bad link or attachment, your first line of defense has failed, and you're now depending on all the other technical controls to protect you.
In the infosec industry, for years we've been guilty of a ‘how then why’ approach. We should instead take a ‘why then how’ approach. Nobody cares about security until they understand why it's important. So, find training that explains why before they try to explain how.
Furthermore, nobody cares about security at work — they're much more interested when you explain to them that the same things we're talking about apply to them at home — protecting their families and loved ones too! So, find training that teaches people about personal security rather than just security at work — it's better for them and you!
Either way, a well-educated workforce will provide much-needed protection from inevitable cyberattacks.
Dave is a Cybersecurity Consultant at Intrust IT. He has 30 years' experience in IT as a software engineer and cybersecurity consultant.
“A layered approach to security is key so that…”
If bad actors breach one defense, they are blocked by the next.
I'd say a 50%/50% split between enforcing multi-factor authentication (MFA) on all accounts where possible and ongoing cybersecurity awareness training with a focus on phishing, spoofing, and business email compromise (BEC).
Bob Herman is the Co-Founder and President of IT Tropolis. He is an engineer with over thirty years of professional working experience. His areas of expertise include managed IT services, data protection, cybersecurity, cloud computing, technology implementations, project management, IT operations, business continuity, network topology, and virtualization technologies.
“The most overlooked element of preventing cyberattacks that businesses should be aware of is…”
Having a 24/7 Security Operations Center (SOC) with eyes on glass.
SOCs ingest logs in real-time from your computers, servers, network devices, firewalls/security appliances, anti-malware programs, and cloud environments, then jump into action when an incident occurs.
Eyes on glass means security analysts are actively reviewing the logs and responding to alerts as soon as they are detected, which could entail taking a compromised machine offline, killing bad processes, and/or disabling a rogue user account that covertly obtained elevated privileges, to name a few. Having a 24/7 SOC in today's environment of unprecedented cyberattacks is imperative.
Karl Viertel is the GRC Managing Director at Mitratech.
“There are two often overlooked elements of preventing cyberattacks that businesses should be aware of…”
Leveraging cloud services does not necessarily increase or lower your cyber risk exposure. It changes it, and it's often overlooked. You are trading physical security risks, availability risks, and patching challenges for risks in privileged access governance, configuration management, and provider lock-in. Each migration must include a cyber risk assessment.
We are experiencing a significant concentration of digital infrastructure. Often this is hidden beneath a layer of service providers. Peeling back layers of the digital supply chain may reveal that even your alternative or redundant providers rely on the same infrastructure and data centers. While many accept certain cluster risks in the foundational infrastructure by relying on Azure or AWS infrastructure heavily, this decision needs to be made with full transparency and awareness of risk.
Andreas Grant is the founder of Networks Hardware. Working as a Network Security Engineer by day and a Network Blogger by night, he founded Networks Hardware with a vision to make it easier for people to pick the right internet hardware for their homes. He has also experienced working in various cybersecurity roles for many years and loves technology.
“The most overlooked element of preventing cyberattacks that businesses should be aware of is…”
Employee cyber hygiene.
Whether we work in the tech industry or not, almost everyone carries a smart device. This means we all have our own ways of keeping our sensitive data secure, which is called cyber hygiene.
Unfortunately, employees don’t care enough when setting up their passwords. The same carelessness is visible when it comes to enabling the 2FA system. While it is true that most insider attacks are accidental, they can be easily prevented if only everyone cared enough about their cybersecurity hygiene.
Most employees stick to using the same password for everything or go for the easiest password possible. Even if they don’t fall for phishing attempts, their poor security practice makes them an easy target. This aspect of cybersecurity often gets ignored.
Over the years, I have come across way too many employees who don’t feel like changing their passwords in two-three years. While that was acceptable a while back, things are not the same in the era of remote work.
One of the most common, non-phishing sectors which gets attacked is remote desktop protocol. We either keep running the software in the background or keep using the same credentials over and over. Even I am not immune to this issue, as remote desktop protocol tool is not used often. This makes the job super easy and barely an inconvenience for the attackers.
Steve Tcherchian is the CISO and Chief Product Officer at XYPRO, a leading cybersecurity solutions company. He is on the ISSA CISO Advisory Board, the NonStop Under 40 executive board and is part of the ANSI X9 Security Standards Committee.
“When it comes to cybersecurity…”
Employees are your weakest link.
Interestingly enough, they are also the front line and the last line of defense. The human element has always been our weakest point. We all know that, but we continue to spend and implement tools to address technical gaps and challenges while humans continue to do what they do, and their importance is often overlooked.
We've seen exponential increases in phishing attacks and other email scams targeting employees. Criminals love panic and chaos, and they'll use every opportunity to exploit the situation. As we adapt and try to be productive in a post-pandemic world, complacency sets in, and security can sometimes be the last thing on our minds. Criminals know that. Criminals love that. The bad guys are preying on security ignorance as much as they are exploiting your fear.
We're going to see more sophisticated attacks on the new mobile workers. They will not be the traditional attacks targeted at data theft but rather more ransomware, disruption, and financial attacks.
Since everyone is at home now, we lose the air cover provided by our IT departments when we were all working in the office. Now is the time to put everything we've learned, during our repeated security awareness sessions, into practice. Focus on the people, the most overlooked element.
Chase has been featured in Real Clear Politics, Homeland Security Today, Fox and Hounds, and more. As CEO and Founder of eSure.Ai, antivirus protection service using XDR technology, and CEO of Transmosis, cyber security is what he does all day, every day.
“To prevent cyberattacks, there are a few things businesses should know…”
With workers moving into the Small Office and Home Office, criminals have been targeting them more often. Many SOHOs use antivirus software thinking they're safe. But most experts now agree this is no longer satisfactory because antivirus only detects a virus after it has been stored on your computer. That's too late when trying to stop these modern, insidious attacks.
60% in 6 Months
Worse, the biggest problem becomes the liability business owners face after a cyberattack. Barely over 1/4 of businesses carry cyber liability insurance. But they should. Why? Research shows that 60% of businesses that experience a cyber attack are forced to close their doors within six months.
Cyber Liability Insurance Is a Must Have
Making sure that your business is safe from cyberattacks is not enough, though it is a good start. Skip antivirus and choose a company that uses Extended Discovery and Response technology that stops attacks at the source, long before a virus can be uploaded. Then integrate cybersecurity with liability coverage. Conveniently, some companies use one solution for this. However the business handles it, do make sure to purchase and maintain the company's cyber liability insurance.
Ben Taylor has been an IT consultant since 2004. He’s the founder of HomeWorkingClub.com, a global portal for freelancers and remote workers.
“When it comes to preventing cyberattacks, I’m like a broken record with my clients…”
User education is THE most crucial thing. It's impossible to prevent ALL security breaches by throwing money at the problem.
While every layer of software and hardware protection can contribute to reduced risk, NO technical solution mitigates a member of the finance team being tricked into making a big financial transfer or revealing a password.
Those cyber awareness courses matter, and their importance in the company culture has to come from the top.
Josh is the founder of Breachsense.io, a data breach monitoring platform. They’ve indexed over 25 billion leaked credentials and thus have unique insights into how hackers are actually getting into networks today.
“One of the most overlooked elements in preventing cyberattacks is…”
Leaked or stolen passwords.
The reason this is such a problem is that attackers don't need to exploit some Zero-day vulnerability or bypass their target's firewalls, IDSes, and WAFs. By using breached credentials they simply go through the front door. In many cases, they use leaked session tokens to bypass two-factor authentication as well. Once the initial access is gained, they pivot from there and attempt to escalate privileges. At that point, the sky's the limit.
In terms of protecting against this, companies need visibility into not only their employees' leaked credentials but also their third-party suppliers' and customers' credentials (meaning any leaked credentials used to authenticate a user’s identity when accessing company resources).
Coralee Bechteler is a tech specialist and business writer, holding multiple degrees in the arts and sciences and a spread of experience. She is the Business and Tech Specialist at Step by Step Business.
“We keep seeing these declarations that we’re in the midst of both a cybersecurity talent crisis and a cybersecurity skills gap…”
Still, employers hold the opportunity to significantly improve the situation if they can accept the realities involved with the prevention of cyberattacks.
It’s essential for cyber professionals to participate in continuous cyber learning so they can acquire, maintain, and refine the skills necessary to protect the businesses they work for.
Cybersecurity skills can become outdated in as little as three months. It’s common for employers to overlook or misunderstand how critical continuous cyberlearning is for their business. The industry as a whole needs to come together to identify and establish related foundational standards and support for cyber professionals.
Wojciech Syrkiewicz-Trepiak, CISSP, OSCP, is a Security Engineer at Spacelift.io, an Infrastructure as Code solution for DevOps engineers.
“One of the most overlooked elements of preventing cyberattacks is…”
Businesses' lack of cybersecurity culture.
Employees are the most common cause of data breaches as many don't recognize external threats when they occur or have a good understanding of the daily actions that leave a company vulnerable to a cyberattack.
Effective cybersecurity culture is vital for businesses amidst the growth of digital transformation initiatives, cloud computing, and remote work opportunities. The need for a well-thought-out cybersecurity culture has never been more in demand.
Cybersecurity culture in the workplace combines the employee's understanding of its importance and risks while being motivated to constantly put their two cents in to improve it. It lets employees know how to respond or report such risks and creates a strong line of defense against cyberattacks or data breaches.
Security awareness training is necessary for every company, as most security issues stem from employee mistakes. It's a simple and cost-effective way to introduce cybersecurity principles, such as recognizing and avoiding threats and the significance of eliminating passwords. Such training enables employees to feel confident using company technology while promoting cybersecurity preparedness.
Snehal is a Content Strategist at Straits Research.
“Companies in the cybersecurity market are adopting technologies, such as…”
Internet of things (IoT), machine learning, and big data in their security business units. Most of the companies operating in this market are shifting from a ‘signature-based’ malware detection system to an IoT-enabled, machine learning ‘signature-less’ system. This shift will help them understand ambiguous activities and events and further, help detect and identify uncertain threats.
This data monitoring can only be fulfilled by cloud technology in a secure and reliable environment at a low cost. Key players, such as IBM Corporation and Cisco Systems, focus on integrating cloud computing with cybersecurity solutions. These cloud computing services are backed up by Analytics as a Service (AaaS) offerings, allowing users to detect and mitigate uncertain threats quickly.
Isla is an entrepreneur and a Cybersecurity Specialist with a background in ethical hacking at PrivacyAustralia.net.
“The most overlooked fact that organizations fail to implement when trying to divert a cybersecurity attack is…”
Training your staff.
A prime method through which attackers gain access to your data is through the employees.
Cybercriminals have an understanding of how to approach your team to manipulate them into divulging sensitive information. They will send fraudulent emails impersonating someone from the business. They might either ask for personal details or access to particular files.
These connections may seem legitimate, and links may seem authentic to an untrained eye. Such circumstances make people more susceptible to falling into a trap. This is the core reason why it is significant for employees to be aware.
Businesses need to train their team members to detect all forms of data breaches, understand the current threat landscape, and best practices to prevent cyberattacks.
Employees should be required to check links before clicking on them to avoid granting access to the wrong people. Employees also need to be aware of how to filter email addresses, and they should be able to detect an abnormality from the current state of communication, as odd requests may be from an attacker trying to access sensitive data.
Ouriel Lemmel is an IT Expert & CEO of WinIt.
“One of the most overlooked elements in preventing cyberattacks is…”
No matter how safe your data is and how good your cybersecurity protocols are, it's always necessary to train all online staff to perform well. They should be well aware of the basics such as maintaining a strong password at all times and sharing sensitive data through secure protocols.
They should also be aware of how to identify cyberattacks and what to do in case an attack happens. Apart from understanding how to respond, they should know how to properly report and manage a cyberattack.
Lucas Budman, CTO of TruU, was formerly CTO of the Advanced Solutions Group at CenturyLink, which acquired his previous company Cognilytics, a machine learning platform company focused on financial risk and cybersecurity. Prior, Lucas was a founding member and CTO of MyCollege Foundation, a Bill and Melinda Gates-funded non-profit.
“Businesses are stuck in the 2000s when it comes to…”
Requiring individuals to reset their passwords or second-factor devices and verifying that they have done so.
The easiest way to hack a company is to call the helpdesk — no need for fancy malware. The future is strong self-service identity verification processes and passwordless access.
Camila Serrano is the Chief Security Officer of MediaPeanut.
“The most overlooked element of cybersecurity in the workplace is…”
Communication channels. While many small businesses and large companies tend to have security measures in place for their data storage and access facilities, a seemingly lacking and often neglected channel that allows the entry of cybercriminals is collaboration tools and communication software.
For example, I think there are potential and already serious implications for security in using Slack and Microsoft Teams. Slack and Teams are both communication channels where employees can freely interact and collaborate on their ideas. However, in the course of these discussions, it also means that sometimes private and sensitive company data are also exchanged through these various channels. I would not recommend sharing passwords or phone numbers and personal addresses or other private data that might be used by other people within the company who have access to the firm’s Slack and Teams exchanges.
Using these platforms also opens chances of sensitive data leakage because users have been too relaxed in using them for daily communication and collaboration. Even internal discussions involving supervisors or administrators should not be exchanged on these platforms because these administrators and supervisors or company owners have access to internal communications and channels for paid subscribers of, say, Slack or Teams. If they find stray comments or discussions on these channels, it could open internal conflicts within the organization.
While both Slack and Teams offer two-factor authentication and SAML SSO, there have been instances where Slack, for example, has been breached with thousands of email addresses and other personal account data being leaked. And even if the passwords have remained safe according to their developers, users were also advised of important security steps such as changing passwords to keep their accounts safe.
As both platforms have SAML SSO, authentication is a centralized and fully visible process, with simple directory integration making for easier workflows. It has long been a standard for user login as it removes user errors like weak or forgotten passwords and improves user experience by not requiring credentials for multiple applications.
Other security concerns that I have seen in these collaboration and communication applications include giving access to external users like clients and allowing access to third-party app integrations.
For companies using these two popular communication and collaboration platforms, I always advise coming up with regular compliance and security audits, maybe every month or every quarter, just to ensure that all employees are also doing the best they can to prevent data leakage and ensure that all communications in the channels are not targeted for data theft.
Marco Ayala is the Global Director, ICS Cybersecurity and Sector Lead at 1898 & Co.
“Some of the things that are most missed, or currently missed, in operational technology and industrial control systems is…”
The third-party support access, whether that’s the original equipment manufacturer that has access or a support integrator that has access. These are trusted vendors that have allowed access in; however, there is a level of unverified trust within these networks and deployment of technology that could have risk, consequence, or impact.
Some of the things that we find out in the field are these connections, but more so, the amount of capability and ability to make modifications, changes, and how the system has been deployed. This is considered unverified trust that is often missed or is vaguely captured but is missed when assessing and considering impacts that could lead to high-consequence events.
It is very important that people perform a risk assessment or a standards best practice assessment such as the ISA IEC 62443 or CCE methodology. The big piece is capturing these third-party access points because we often find that the systems are end-of-life and have managed pieces but also unmanaged pieces in the architecture.
With over 25 years of diverse security experience, cybersecurity and U.S. military intelligence veteran, Mark Willis, Chief Security Officer at Bluescape, understands just how important it is to protect a company's cyber infrastructure which is why he has helped ensure Bluescape has the highest security standards.
“Companies, especially during the pandemic, hurried to adopt software that may not have been fully vetted…”
Much like you would a new employee, business leaders should carefully screen any software before adopting it company-wide. A few key questions to ask are:
- Will your personal data be disclosed to any third parties? Privacy remains a growing concern for today's consumers — and today's businesses must act accordingly. In fact, according to a recent study by KPMG, 86% of Americans feel a growing concern about data privacy, while 78% expressed fears about the amount of data being collected. When handling and storing company and customer data, there must be an air-tight process for those who have access to it. Knowing your SaaS partners have a security safety net that will prevent breaches and vulnerabilities in the event of internal error can make or break your long-term business success.
- Where is your data being stored? As the U.S. continues to face escalating tensions with diplomatic rivals such as China and Russia, security solutions must be tailored to the countries in which data centers are located. Unfortunately, not every SaaS company is forthcoming with its data center locations, so it's critical you cover your bases in the exploratory process.
- Has a software provider experienced any complaints, regulatory inquiries, consent decrees, or litigation regarding privacy or data security? Security literacy is now a critical component of business as companies pay closer attention to their software and work to understand the intricacies and nuances of what went wrong in the past and what steps they can take to prevent a repeat in the future.
Drew Hjelm of Helm Information Security is a seasoned cyber incident responder using experience as a system administrator, web developer, and consultant to help organizations navigate difficult times.
“The most critical element of handling cyberattacks that most organizations neglect is…”
Preparation for what happens if a cybersecurity incident occurs.
Many cybersecurity practitioners will say that attacks are inevitable, but I would argue that having a plan and practicing that plan will ensure that organizations can weather a cybersecurity incident better than if they don't plan.
Organizations need to build incident response plans that detail their actions in the event they experience common threats: ransomware, email compromise, wire fraud, unauthorized crypto miners, etc.
They must also ensure that they are documenting their critical systems and the priority of bringing those systems back online if they are taken offline with their disaster recovery plans. Organizations should also be testing their backups and determining how to respond if they suspect their backups have been tampered with. Finally, they should be running tabletop exercises to highlight deficiencies in their processes and controls.
Bill Mann is the Privacy Expert at Restore Privacy.
“The most overlooked element of preventing cyberattacks or infiltration of your digital infrastructure starts with…”
Proper training is key to making sure that cyberattacks don’t occur. Why is that? Because many hackers find their way into the private information of a company through the simplest method: phishing.
Yes, when an employee is given a fishy email but doesn’t recognize that it’s a scam, they can open up an entire business to a cyberattack nightmare. This is why everyone should be trained on even the simplest cyberattack threats.
This doesn’t happen enough because managers assume that everyone has at least some understanding of not falling for hacker tricks in emails. You would think that’d be the case but, surprisingly, it’s not, and that means that you need to educate everyone — almost as if they have never touched a computer before.
Thorough — painfully thorough — training is overlooked by many companies. It’s the best method to stop cyberattacks, and it must be taken into consideration by every company looking out for itself.
Matt Aubin is the Company Founder of Technical Investigation and Cybersecurity Specialist Counter Surveillance Cyber Team.
“The most overlooked element of preventing cyberattacks that businesses should be aware of is…”
Employees need to know how to spot suspicious emails and how to report them. Cybersecurity professionals must also ensure that their employees have a clear understanding of what they can do when they detect suspicious emails or other content on their devices.
The human factor is often overlooked by businesses when it comes to preventing cyberattacks. They think that technology alone can protect them from these threats, but this is not always the case - as technology can fail too.
Cyberattacks are a growing threat, and companies must be aware of what they're doing to prevent them. It is important to keep in mind that cyberattacks are not just about software or hardware; they’re also about the people who work in the company.
Todd Gifford is the Technical Director of Optimising IT.
“The single most important thing to consider when improving cybersecurity and preventing cyberattacks is…”
Not just training for end users about what to look out for regarding phishing emails or credential compromise in some form of business email compromise, but core skills in cybersecurity best practices for the technical teams including the IT team and your development teams.
Training, education, awareness, and most importantly, the ability to apply what you have learned in a real-world scenario is the single most important thing your business can do to improve cyber security:
- Getting the correct knowledge is key — not just teaching your team about how to spot phishing emails and fake invoices.
- Make sure the technical teams have the appropriate knowledge and the ability to apply it in the context of your business.
- Ensure everyone knows how to talk about risk, in line with your business risk appetite.
- Teach the technical teams to speak business and to sell the benefits of what they are proposing.
- Empower everyone to verify that steps taken to improve security are effective (this is where internal and external audits add value).
Outsourced your technical delivery, IT support, and cybersecurity? You can outsource the work, but you can't outsource the responsibility. Make sure you verify that your chosen partners have the appropriate skills, ongoing training, and capability to deliver. This includes making sure they are able to apply risk management in the context of your organization, speak in business terms, and provide additional value and business benefit.
Clay Gooch is the Chief Information Security Officer of Headstorm, a software and technology consultancy. He specializes in enhancing the security posture of organizations. Ultimately, lowering overall risk by creating, implementing, and upgrading security programs and giving teams the tools they need to succeed.
“According to figures cited by the U.S. national security cyber chief, the use of multi-factor authentication (MFA) could prevent as much as…”
Multi-factor authentication might be one of the simplest, cheapest, and most efficient tools that small-to-medium-sized business owners can implement when it comes to safeguarding their data. However, it is often the most overlooked element of preventing cyberattacks.
Like Nike’s slogan says, Just Do It. Not only does it significantly reduce the risk of compromise, but it can also reduce the cost of cybersecurity insurance.
Kevin Bocek is the VP of Security Strategy & Threat Intelligence at Venafi.
“Machine identity management is one of the most overlooked elements in preventing cyberattacks…”
Every machine you can think of has its own identity, allowing secure communication between machines of all kinds, from servers to applications, Kubernetes clusters, and microservices. However, with developers under pressure to scale rapidly, securing and managing these crucial assets is often overlooked in favor of speed.
Today, the average business has nearly 250,000 machine identities on its network, and this number is expected to double to 500,000 by 2024. So, even organizations with modest digital transformation plans will soon find the number of identities they need to keep track of spiraling out of control, opening them up to vulnerabilities.
The consequences of this are laid bare when you look at the number of machine identity-related breaches that are taking place. High-profile breaches, such as SolarWinds, have taken advantage of machine identities. Machine identity is the foundation of zero trust strategies, making the inverse true: machine identities are core to successful cyberattacks.
We also have evidence that nation-state threat actors from the likes of North Korea and China are increasingly turning to machine identities as their modus operandi, abusing them to launch highly damaging attacks to advance the political and economic goals of their states. So, organizations must make use of a control plane, which enables automated management of machine identities throughout their lifespan, and ensure that these valuable assets are protected.
Volodymyr is the VP of Engineering at Clario, a cybersecurity solutions provider.
“Bar none, the most overlooked element of cybersecurity plans in businesses of every size is…”
Even the most sophisticated cybersecurity technology is no match for a person recycling easy passwords, using their work computer on public wifi, or opening a dangerous link in a convincing phishing email.
This is why every cybersecurity plan *must* have an equally detailed education component, with regular upkeep of that training for every employee who interacts with your business network.
Even basics like implementing monthly password reset requirements, mandatory two-factor authentication on devices used for work purposes, and educating employees on basic phishing red flags can bolster your cybersecurity plan with little investment.
Jamie Howard is the CTO of Capital on Tap, an all-in-one small business credit card and spend management platform. Capital on Tap makes it easy for small business owners to manage cards for their employees, access funding for their business, and earn cashback, travel, and gift card rewards.
“An often overlooked aspect by organizations to maintain a healthy cybersecurity posture is…”
Security & awareness training for employees.
One-off or yearly training exercises are no longer enough to keep the changing attack landscape at bay. Organizations need to engage with security professionals to understand industry-specific threats so that engagements can be scoped and delivered correctly with clear and defined goals.
For example, if a team member hasn't secured their phone properly and then loses it, this could contribute to a security breach. Or, not being cautious about clicking on links in emails could lead a person to inadvertently open the door to a cyber attack.
Regular training, backed up by ongoing social engineering exercises such as simulated phishing attacks (and following up with individuals after) can be very helpful in educating the team to be better aware of cyber threats.
Erik is a co-founder and Chief Architect at edge orchestration company ZEDEDA, and is an expert on architecting and implementing secure large scale software systems.
“One of the most overlooked aspects of cybersecurity today is…”
Driven by the acceleration of edge computing, particularly in organizations with distributed operations. While security in the data center is relatively well understood, edge computing comes with a new and entirely different set of challenges.
Cybersecurity professionals now need to extend their security infrastructures to a distributed environment that might have no perimeter, is heterogeneous, encompasses devices that may be too constrained to run traditional security tools, may have little to no onsite IT staff, and at a scale that may run into the tens of thousands or more.
Plus, as previously segmented IoT projects are brought onto the network to leverage the on-site data analysis and decision-making enabled by edge computing, it also brings a new OT stakeholder that may have different concerns and priorities from IT.
With these challenges in mind, CISOs must approach security at the edge from a broader perspective than they do in the data center or cloud. This means taking into account the business priorities of OT, which may include safety, efficiency, and disconnected operation, and IT, which includes data protection, privacy, and compliance.
This also means implementing a security strategy that addresses the unique distributed edge environment, including a zero-trust architecture that solves common challenges such as avoiding firmware and software attacks in the field, ensuring security and environmental consistency with unsecured or flaky network connections, and detecting and avoiding hardware supply chain attacks, among others.
Ray Steen is the CSO at MainSpring.
“According to Deloitte, 91% of all cyberattacks in 2020 began with…”
A phishing email to an unsuspecting victim.
Employees unwittingly give away personal information and credentials that leads to system penetration, data theft, and ransomware because they don't know what to expect. For this reason, cyberattack and phishing simulations are among the most valuable tools an organization can use for cybersecurity training and awareness — but they are woefully underutilized compared to other training programs.
Simulations provide employees with a realistic and safe environment where they can familiarize themselves with the constantly evolving tactics, techniques, and procedures (TTPs) that phishing actors use to mimic well-known brands and spoof company domains. They allow organizations to build up a human firewall based on knowledge and experience, which is especially valuable in a time when cyber talent is hard to find.
Tom Kirkham, Founder, CEO and CISO of Kirkham.IT and IronTech Security brings more than three decades of software design, network administration, computer security, and cybersecurity knowledge to organizations around the country.
“By far, cybersecurity awareness training is the most overlooked element in today's environment…”
Organizations spend tens of thousands of dollars to protect their digital assets, but without creating and fostering a security-first environment from the top of the organization down, those controls are useless. Employees are the first line of defense against a breach. Everyone with access to any kind of computer or device on a network must have security awareness training. Continuously. No one is exempt.
One way to get the message across to your team is to share cybersecurity news regularly. The volume and frequency of attacks help get the message across that everyone needs to be thinking about security every day.
Teach employees how to identify a phishy-looking email and how to proceed if they have questions. Everyone should:
- Check the sender email address and name for spoofing, especially when the sender is making an unusual or unexpected request.
- Check the email format and ask yourself if there's anything off about it.
- Make a phone call if you're suddenly asked for key information like login credentials, especially bank or credit card information.
- Hover over links to make sure they go where they say they go.
- Scan any attachment before opening it, and check the file extension for anything unusual, like multiple file types.
Password best practices are fundamental. The challenge is getting your team to actually practice it. Password managers are excellent tools to foster good password hygiene and don't require a large investment.
Attending to these details, coupled with a layered security approach with multiple best-of-breed tools and constant vigilance is the most effective line of defense.
For more than 20 years, Trexin’s Chief Security Officer and Technology Capability Lead, Glenn Kapetansky, has advised senior executives and built teams across multiple industries and roles.
“The most overlooked element is…”
That everyone falls for phishing.
I fell for phishing exactly once in over 40 years: I clicked on a link from my top Architect at my dot.com, and boom. When I expressed surprise, he said, “Oh yeah, I was up till 2 A.M. hacking stuff and fell asleep before turning my filters back on.” Thanks, Mike! I never forgot the lesson that even experts can lose focus at a critical time and the crack in our defenses can come even from a trusted direction.
That does not mean we should spend any less time and attention on tools, tests, and training. They are all essential layers of defense against an ever-changing enemy. But assuming you’re already been breached (in some form) may help you — as it has helped me — to focus on resiliency and how to ensure the business can continue going about its business.
Matt Polak is the Founder & CEO of Picnic Corporation, the first cybersecurity company to specifically address social engineering as a threat vector. Matt is a subject matter expert in intelligence collection, having spent his career applying these skills to intractable growth and competitive strategy challenges for Fortune 500 customers.
“Given that more than 90% of all cyberattacks start with a phishing email and that 90% of attacks are caused by human error…”
It is astonishing that less than 3% of cybersecurity budgets are allocated to the human factor. Additionally, 92% of cyber-attacks are specifically crafted from users’ OSINT (public information about people, companies, and supply chains), according to Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA).
These statistics indicate that the most overlooked element of preventing cyberattacks that businesses should be aware of is the OSINT vulnerabilities used to craft phishing and other forms of social engineering attacks.
Hackers use social engineering to bypass traditional cybersecurity and gain a foothold, but the fuel for these attacks is the public data that exists beyond the firewall. Security teams have historically not had adequate visibility of this data, let alone control over it, and this is the primary reason why social engineering has remained the biggest threat vector in cyber.
To reduce their threat surface and prevent cyberattacks, organizations need the technological capability to continuously know and neutralize the public data vulnerabilities that fuel social engineering campaigns. By turning the map around and seeing themselves from the perspective of an attacker, companies can preemptively remove paths of compromise before they are exploited and prevent attacks.
No business is immune to cyberattacks today. Whether you own a small business or you’re an executive at a major enterprise, cybersecurity must be top-of-mind from the top down. Implementing strategies to address these often overlooked elements of cybersecurity, such as implementing strong password requirements and requiring frequent password changes, providing ongoing cybersecurity awareness training for every employee, and leveraging a robust data loss prevention solution, will help you close the security gaps and better protect your business against cyberattacks.