Cyber-attacks are in the news every week and cause billions of dollars of losses to the global economy. While security spending continues to creep higher, a report showed 78% of security leaders surveyed still lack confidence in their cybersecurity posture despite the investments being made. This is because most security breaches aren’t a result of inadequate security technology; they are a result of human error.
The success of and rapid growth in cybercrime is a testament to the fact that most organizations continue to be inefficient defenders. Let’s explore the top five reasons why businesses may be inefficient in their approach to cybersecurity:
1. OVERWHELMING NUMBER OF VULNERABILITIES AND ALERTS
With around 10,000 new software vulnerabilities discovered each year, security teams may not understand the risk of every potential threat. Security teams use security tools (e.g., vulnerability scanners and SIEM) to identify patterns and risks. In large companies, it’s not uncommon to see 1,000 or more per day—with anywhere between 25%-75% of alerts proving to be false positives. Burdened with security alerts, teams often fail to identify or prioritize risks correctly. Some even admit to turning a blind eye to security alerts when their plates get too full.
2. NOT ENOUGH FOCUS ON ROOT CAUSE ANALYSIS
A common mistake that cybersecurity teams make is treating the symptom, not the cause, explaining why in a survey of more than 1,200 cybersecurity professionals, 80% of respondents report suffering repeat attacks. Similar to headaches, fever and fatigue, the entry of malware is usually a sign of something far more dangerous. Not only is it important to clean up the malware, but it’s also critical that security teams understand how the malware was able to breach their defenses. Top root causes include phishing, social engineering, software vulnerabilities, human error, malicious insiders, leaked credentials, misconfigurations, and compromised supply chains.
3. TOO MANY PROJECTS AND PRIORITIES
When the pandemic hit, cybersecurity took a backseat and business continuity became a priority; almost 50% of the more than 200 security professionals surveyed report moving focus to IT duties while 91% of IT workers surveyed felt pressured to compromise security. In a corporate environment, resources are limited, IT and cybersecurity teams have too much to do while management teams at times have pet projects that may take priority over things like cybersecurity.
Compliance is another thing that provides a false sense of security. In addition, compliance centers around the requirements of the regulations and not the real cybersecurity needs of the organization. Most breaches involve humans, and compliance controls fail to prioritize or stress the importance of the human factor.
4. THE SECURITY COMMUNICATION PROBLEM
More than half of cybersecurity professionals surveyed cite a lack of soft skills like communications and leadership as one of the biggest skill gaps in the pool of professionals. These skills are critical to an effective risk management program. This means that even when IT security teams can identify threats, they are unable to communicate them organization-wide.
Communication gaps result in things like end-users lacking the ability to identify suspicious behavior, senior management being unaware of top security challenges, and the business being unable to supply the right amount of resources and implement the right amount of controls to mitigate cyber threats in real time. Cybersecurity needs to be proactive and not reactive, and this is where communications play a major role.
5. HUMANS ARE POOR AT RISK EVALUATION
About 1.25 million people die from car accidents every year while the average annual deaths from an airplane rarely top 1,000, yet there are more people afraid of air travel than they are of using cars. Similarly, mosquitoes kill more people in one day than sharks do in 100 years; however, our human instinct makes us warier of sharks. The same rule applies to cybersecurity as well. The majority of cybersecurity teams carry biases and their security decisions are usually influenced by several factors, such as vendor and media-driven narratives, compliance and regulation requirements, unranked or mis-ranked threats, and lack of accuracy and confidence in identifying cybersecurity gaps.
BUSINESSES SHOULD ADOPT A DATA-DRIVEN DEFENSE APPROACH
A data-driven approach means that the business enables the security function to make decisions based on factual data. This involves understanding the root causes of security threats, learning how things break in the organization, evaluating the things that are most likely to do it, ranking those risks in order of priority, and crafting a strategy to mitigate prioritized risks. This isn’t a one-time exercise but a perpetual, evolving process that focuses on the development of the business’ capabilities in line with the evolving threat landscape. There are three main elements of a data-driven defense approach:
Focus on initial root causes: Phishing by far is the most common attack vector, jumping over 500% in the first two months of the pandemic. Remember, ransomware isn’t the problem; it’s how it got in. When you’ve adjusted your thinking, you’ll realize that adware or a backdoor is as worrisome as ransomware.
Focus on the top exploit methods: Concentrate on exploits that are actively used against you, exploits likely to be used against you, and exploits that have been successfully used against you. Even if your antivirus or endpoint detection software is detecting malware and removing it, if it was alive on your system even for a second, it means your defenses were somehow compromised.
Focus on local threat intelligence: Remember to look at your own data, rank your own risks, and apply your local experience first, instead of making security decisions based on industry and peer guidance. It’s true that the threat landscape is evolving; however, not all environments, threats, and risks are created equal.
Know that cybersecurity is a data and a human problem. Creating a strong human firewall as your last line of defense is a must.
Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.