Michael Scheffler, AVP EMEA at Bitglass, talks about why companies often lack the motivation to properly address IT security. He also considers what best practices there are to ensure protection.
Data breaches and security issues have been making news headlines for decades, but they’ve become so commonplace today that outlets like BBC News now have dedicated sections covering data breaches.
Despite much awareness of the need to improve security practices, organisations remain reluctant to make changes to their IT environments. These changes would help them to respond more effectively to today’s threats.
Even when security depends on relatively simple activities, such as installing the latest software updates on endpoint devices, some companies still fail to find the time and energy to perform them.
There are a variety of reasons that organisations fail to take the steps needed for ensuring proper IT security. We explore a number of these reasons below.
They offer tips for overcoming organisational resistance when it comes to achieving comprehensive cyber security:
1.Resources: While companies often see an obvious bottom-line benefit to general IT investment, the ‘insurance’ mindset needed for IT security means that they also need to invest in the proper tools and technologies that can protect against modern threats.
This is especially important in light of the mass adoption of cloud technologies and services. Many organisations have made major investments into on-premises infrastructure.
This alone can make them reluctant to spend more funds on additional (but necessary) security solutions designed for the cloud.
2.Expertise: One of the single biggest challenges for any company that is looking to bolster its security posture and expertise is recruitment. There is a dearth of qualified personnel on the global jobs market today.
In fact, according to (ISC)² research, there are now 2.93 million unfilled IT security roles globally.
3.Denial: Unfortunately, many organisations believe that they are not likely to be a target for hackers and, therefore, that they don’t have to worry as much about cybersecurity as others.
In part, this stems from a misconception that larger or better known organisations are more likely to be attacked.
However, hackers are likely to target any companies that are poorly secured or handle sensitive data – irrespective of their sizes and statuses.
4.Inertia: There are many organisations that have a somewhat parochial view of cybersecurity. As a result, they may underestimate the urgency of the need to adopt relevant security tools and practices – particularly in the cloud.
On-premises tools and best practices are necessary in the vast majority of organisations. However, the assumption that they translate perfectly to cloud and bring-your-own-device (BYOD) environments can be dangerous.
Organisations don’t typically find themselves falling victim to security breaches because adequate protections were unattainable. Solutions to vulnerabilities and highly niche security needs do exist.
As such, organisations must take action to address a few fundamental areas. Best practice approaches include:
1.Find top security talent: There are challenges associated with finding experienced security professionals in the middle of a skills shortage. However, it’s an effort well worth making.
This means whether organisations conduct strategic recruitment, upskill or cross-skill existing team members, or work with external providers. There is no substitute for hands-on cybersecurity expertise.
2.Do the basics: At the very least, every business should be installing all of the necessary software updates and patches as soon as they become available – across all of their employees’ devices.
This most basic of steps can close existing security gaps and help reduce the likelihood of a breach.
3.Employee education: One of the best methods of improving security is to adopt a “security-first” mentality across the entire organisation. This starts at the top, with organisational leadership setting a high bar for everyone.
Regular trainings on topics such as how to spot phishing emails and how to share data securely should be conducted. That way, companies can significantly reduce the likelihood of a breach.
4.Understand your weaknesses: Organisations need to be aware of their vulnerabilities in advance. Learning about them via a data breach can be the most expensive way to stress-test a security strategy.
For those companies that leverage infrastructure-as-a-service platforms, for example, this involves using tools that proactively identify and address misconfigurations in cloud environments that can expose data.
5.Don’t get blindsided by new tech: Many of us will adopt new technology or method of work, such as cloud services and BYOD, in order to improve our productivity.
The problem is that this often happens before an employer has sanctioned said adoption, let alone updated its security policy.
It’s much safer for employers to get ahead of the curve and enable these types of technologies responsibly and securely. This is rather than scramble once they’ve already found their way into an organisation.
6.Buy the best security tools: In every business, there will be certain tools that are considered essential for adequate cloud security.
These can include data loss prevention (DLP), user and entity behaviour analytics (UEBA), searchable encryption, multi-factor authentication (MFA), and more. As the list can be extensive, organisations should have robust security solutions.
These should offer all of the protections they need in order to ensure that their data is safe.
Organisations have witnessed the aftermath of data breaches and the costs associated with failing to keep sensitive data secure.
Thinking “this could never happen to my company” is inaccurate and dangerous. It’s time for organisations to heed the warnings in the news and take a more proactive approach to cyber security.