The truth is that in cybersecurity, most businesses are their own worst enemies. While the world has begun looking at cyber attacks and other types of cybercrime more seriously, it would appear that measures to prevent them aren’t being taken seriously enough. SolarWinds MSP’s 2017 Cybersecurity Preparedness survey found that an overwhelming number of businesses in both the U.S. and U.K. are actually overestimating how ready their organizations are when it comes to preventing and fighting breaches. This report also concluded that there are seven reasons why businesses are falling short in cybersecurity preparedness. For businesses to actually be as secure as they are confident, they’ll need to refrain from falling into these traps:
1. Inconsistency in enforcing security policies. It’s not enough just to have security policies — you have to regularly check and consistently enforce them, lest they exist uselessly. Only 32 percent of respondents could claim their security policies are reliably applied and regularly audited. On top of this, less than half or 43 percent enforce them only occasionally, 17 percent fail to audit their suitability, and 7 percent have no policies in place. Overall, SolarWinds found that 68 percent of respondents don’t reliably apply or audit security policies.
2. Negligence in the approach to user security awareness training. With employee negligence and human error topping the reasons why companies experience breaches, this should be a top priority. Unfortunately, only 16 percent of respondents claimed they actually considered user security awareness training to be a priority, while almost just as many (13 percent) admitted they do nothing. 71 percent of respondents either include security awareness as a one-off employee onboarding event, or reinforce it once annually. SolarWinds likens this to “paying lip service” because of how ineffective training is if it’s not ongoing.
3. Shortsightedness in the application of cybersecurity technologies. The top nine cybersecurity technologies include web protection, email scanning, and anti-malware (50 to 61 percent of respondents employed these technologies), as well as security information and event management (SIEM), firewall rules, and patch management, both monthly and weekly, hardened workstations, and network intrusion systems. Only 25 percent of businesses utilized network and/or host intrusions systems. Ultimately, six out of nine top cybersecurity technologies are deployed only by a minority, or less than 31 percent.
4. Complacency around vulnerability reporting. 51 percent of respondents claimed (optimistically) that their vulnerability reporting was “adequate”, with an additional 29 percent classifying their reporting as “robust”. 19 percent have no reporting whatsoever, and 11 percent said they don’t plan to add it. Yikes.
5. Inflexibility in adapting processes and approach after a breach. Out of the 71 percent of respondents that experienced a breach in the past 12 months, only 44 percent and 41 percent actually implemented new technology and processes, respectively. This is why it’s hard to believe that businesses are anything but overconfident in their preparedness, seeing as over half that experienced a breach are doing anything different after the fact.
6. Stagnation in the application of key prevention techniques. Solarwinds lists nine key prevention techniques including full disk encryption on mobile and portable endpoints (the most applied technique, performed by 43 percent of respondents), basic logging of authenticated users’ activity (41 percent), and application whitelisting (the least applied technique, performed by only 27 percent of respondents).
7. Lethargy around detection and response. Because even the best business cybersecurity systems are fallible, every business should be concerned about optimal detection, response, and resolution times. Unfortunately, only 44 percent of businesses actually improved in these areas, while 32 percent remained the same, and 24 percent saw decreases.
It’s important to note that all of this is compounded by the fact that it’s hard to actually fill open cybersecurity positions. Maryville’s Online Resource center estimates that a growing skills shortage will leave 1.5 million out of 6 million cybersecurity jobs unfilled in 2019. This means that by the time business confidence in cybersecurity wanes, there won’t be anything that anyone can do about it anyway. Those who employ effective cybersecurity staff early and hold on them into the future will benefit most.
Invest in your own protection, and don’t be made a fool of. Take a good, hard, honest look at your cybersecurity measures, and reevaluate whether you and your employees are truly protected. Hubris will be your downfall, humility your salvation. While intense self-scrutiny may be uncomfortable, it may also be the one thing that saves your skin the future.