19 cyber-security mistakes companies make & how to avoid them
Top 19 mistakes & how to avoid them
Building a brand, dreaming of an IPO or selling up to a tech billionaire? Or simply working hard to put food on the table for your family? Whatever your ambition, SME organisations underestimate cyber security at their peril.
If you have a switched on Head of IT you’ll most probably have heard of host and endpoint encryption, application database and BYOD mobile protection. You may even have rolled out security awareness training…
But we know from experience, your peers are making a host of cyber mistakes:
1. Building higher and beefier ‘walls’
The Donald Trump mentality is tempting for many but ultimately flawed, a complete non-starter – illegal software is constantly evolving. What keeps out one piece of malware won’t automatically keep out the next. When an alarming 360,000 new malicious programs are created every day, you could end up wasting a lot of money on this approach.
Plus, you can’t do business without letting lots of traffic through you anyway – don’t forget that phishing is widely considered the biggest threat. Those emails very much come through the front door, looking for all the world like they were invited.
2. Focussing too much on keeping criminals out…
…when keeping your valuables safe is what really matters.
Preventing criminals from entering is the desired state but ultimately unrealistic. Therefore, detection needs to be the default state – and being ready to turn that into a robust response.
When you have that clear objective, your monitoring efforts can be focussed on detailed intelligence requirement that detects breaches quickly.
Howden cyber specialist Edward Wong said, “A breach will happen at some point, but if you can detect it quickly and react with gusto, you can prevent anything really bad happening or limit the damage.”
3. Taking the tools-before-jewels approach
IT professionals often covet using the latest tools - sometimes for its own sake - because many are ‘early adopters’ and naturally attracted to shiny new tech.
As a result, they can end up managing 100s of tools, feel secure - but still be wide open to criminals.
Don’t think which tools to use before you have a clear understanding of what you are trying to protect, in what priority order. Then build the plan up from the inside.
That’s much better than organising your defence around the latest available tools, or the in vogue criminal tactics. Criminals can always shake up their approach – don’t make it easy for them.
4. Assuming you are not a target
Complacency is the #1 enemy of cybersecurity.
Because SMEs tend to be less security conscious, due to limited budgets, clashing priorities and often, restricted access to top tier IT security talent.
Don’t forget the ‘random’ nature of ransomware, which proliferate through connected systems;. malwares are designed with abilities to self-replicate in networks and get easily forwarded buried in attachments.
You don’t have to be targeted to wind up being a target.
5. Using highly privileged accounts for high risk functions such as web surfing or email
It happens all too often, but your most highly privileged user accounts should not go anywhere near the open waters of the World Wide Web.
Such machines should even have a browser.
Email and web browsing should be unavailable when logged in as privileged accounts - because mistakes will happen when people are stressed, rushed or fatigued.
6. Lacking the ability to remotely wipe a device
Laptops and phones will get lost and stolen – you need the ability to wipe/or lock them down permanently, wherever they are.
You might be thinking that you’d be hopelessly unlucky for a lost device to fall into the wrong hands – with social engineering attacks it could well have been taken on purpose.
7. Investing in the wrong technology for the job
A recent report found that 5 out of 9 technologies have a 'negative value add', according to Accenture’s cost of crime study (the figure was calculated in terms of spend versus cost savings delivered).
The focus was on larger organisations, but it goes to show that just because you are spending big money on tech solutions doesn’t mean they’re the perfect solution.
These were the ones giving significant savings over and above the investment:
- security intelligence systems
- automation/machine learning
- and cyber analytics/user behaviour.
The biggest value drain was advanced perimeter controls, which cost approximately twice as much as the cost savings it delivered.
8. Buying good software with substandard support
Whichever tools and systems you procure, the level of support that comes with them should be of mission-critical importance.
Often, software that seems perfect out-of-the-box is only fit for purpose when set up by an expert – and that means an expert in that particular piece of software.
Howden Cyber’s Edward Wong said, “You might feel like your IT team could handle it, but a software misconfig is one of the common causes of a serious breach. We regularly read about vast amounts of sensitive data released into the public domain simply by configuring a few settings ineptly during a cloud server set up.”
9. Thinking compliance is a target – if we’re compliant, we’re good
Compliance first isn’t safety first, because compliance is always behind the pace of innovation.
The pecking order for cyber innovation goes: bad actors, security companies….regulators.
Keeping up with compliance could keep you safe…but only from what criminals were up to years ago.
To make legal compliance your only target is a very risky strategy indeed.
10. Falling for common cyber-attacks
If there’s one thing worse that suffering a cyber-breach, it’s getting totally blind sided by a common one.
It should be your objective to not fall for the old tricks; the more common they are, the more we know about them – prior knowledge of the technical makeup of scams is a massive advantage.
You should do your research and stay up to date: make sure your system is set up to detect the common ones early, before attackers can take control or access data. Last but not the least update software databases and above all – Patch, Patch, Patch should be the mantra.
11. Assuming your current insurance covers you against cyber-attacks
Because you may well be disappointed.
Unless you have a standalone cyber insurance that is designed to pick up the bill for picking up the pieces. That means sending in a crack team of relevant experts: legal, technical, forensics, PR to get you and your reputation back to its best fast.
12. Doing cybersecurity training... once
While it may be a stretch on SME resources, we do recommend regular updates to the cybersecurity training. At bare minimum, you should consider basic data protection awareness training. Highlighting the latest threats and phishing tactics is a great start – forewarned is forearmed, although there is a solid argument the average human is not psychologically well-equipped to be vigilant against phishing (and may not be for some time).
13. Low-Medium-High risk assessments
Often when ticking these boxes or RAG statuses, the rating is based on little more than gut feel.
Gut feel is no way to account for cyber risk – people tend to think their risk is lower than it really is, in other words they rate themselves (see this interesting article on why most people think they’re above average at driving).
As the Fair Institute says, “Most risk measurements today are not founded on a clear understanding or articulation of the things being measured.”
Measurements and results need to faithfully reflect ranges or distributions of probabilities.
We ultimately need to work out a number to inform your policy level, but we can help you do that based on years of experience working with similar businesses to yours.
14. Poor quality cyber conversations among board members
Relegating cybersecurity to “something that IT does” is the wrong attitude to a factor so crucial to your long-term prosperity.
People of a more technical background need to find ways to talk about cyber in terms the executive leadership can appreciate.
For ideas on improving the effectiveness of board meetings on cybersecurity, we've created a guide here.
15. Missing learning opportunities
“In many cases, organisations have excellent monitoring capabilities, but findings are not shared with the wider organisation” - says KPMG’s the Cost of Crime Report.
Don’t be one of those companies. Work out how to share and learn together.
16. Not having a solid cyber continuity plan
A recent Hiscox cyber survey found that 41% of respondents put additional cyber-security and audit requirements in place, whilst 39% ramped up employee training and improved preparations for future cyber-attacks.
A big part of a resilient cyber defence is having a policy in writing - and practising before the real pressure hits.
17. Assuming your IT department are good at everything technical
You may well have some serious talent in your IT department, but it’s myopic to assume that your IT department are outstanding in every way. No-one is perfect.
18. Thinking perfection, rather than resilience
You’re never going to be 100% secure – it is just not possible. If the FBI and the Pentagon can be hacked, what chance do you have?
19. Letting security suppliers spook you
And that includes us.
But the fact is, the threat is present and a breach will cost you money from the second you discover it.
That doesn’t mean you should let suppliers lead you to their cybersecurity solution. Stick to your guns and get what is right for you, in terms of securing your real assets and your long term prosperity.
Cyber insurance is a strategic business decision
We aim to support you in your cyber journey by ensuring that you have the knowledge and tools to achieve business resilience, leveraging our strong insurer partnerships to negotiate the most appropriate deal on your behalf.