Importance of Security

How to lose money

Security of a business is vital to its success. Facing a data breach could cost a company over $4 million on average in 2021, and over $9 million in the United States for 2022 (IBM, 2022). That’s per incident, which sometimes happens multiple times a year for companies! Many times companies are unable to recover from a data breach, due to loss of money, time, or reputation, or other consequences of being breached. Some breaches have regulatory consequences such as fees or losing access to credit card processing. Other breaches can have legal consequences including jail time! Staying on top of threats is key to continuing business operations. Some of the most important aspects of security are user training and patching. Don’t pay the demands of ransomware (software that encrypts your data and demands a sum of money to unlock it); you may or may not get your data back, depending on the group controlling the ransomware… but you will definitely lose the ransom paid. If you’re hit with ransomware and aren’t sure what to do, contact your local authorities.

A data breach isn’t hopeless for companies. What you do right now can affect the severity and impact of an incident. Companies like SystemSecure can help to assess the current state of your business’s security, provide recommendations, and assist in deploying safeguards. An ounce of prevention is worth a pound of cure. There are many companies that are able to successfully navigate data breaches and come out the other side stronger.

Wait, security is MY responsibility?

Where do you fit in? Many don’t realize that even with cloud-hosted applications, the customer is ultimately responsible for many aspects of security on the application. Let’s take this website for example: blog.systemsecured.com. Even though it is hosted through a cloud provider, the virtual server is largely managed by SystemSecure. SSL needed to be configured in initial setup for secure data transfer (as shown by the lock icon on the navigation bar at the top of the browser), the system needs to be patched regularly, and the credentials need to be properly managed to prevent unauthorized users from manipulating the machine. The plugins are the same way. The plugins on the website that add or enhance functionality need to be constantly updated. If plugins and credentials aren’t managed properly, the site can be “hacked” - taken down, repurposed, or have malicious content added. The web hosting company has some security controls in place to secure the machine and network, but you as the customer need to know what is on them versus what is on you to secure. Cloud providers typically have a shared responsibility as part of obtaining service, such as AWS’s shared responsibility model.

Cybersecurity Staff’s Concerns

Compounding the constant battle to prevent a breach, security employees are quickly becoming some of the most burnt out employees (ZDNET, 2022). If a company is breached, it may or may not be the security team at fault. Either way, they are to blame and often lose their job because of it.

Imagine you are responsible for keeping inventory of computers at your company. Management one day finds that 100 computers are missing from the inventory. Now the company terminates your employment because it was discovered under your watch. You have little control over someone manipulating or stealing inventory. You don’t have the ability to show the company that the computers were removed from inventory before you started. Your time with the company is over because of something outside of your control being blamed on you and your team.

Sounds pretty absurd, right? But that is exactly how security personnel are treated at times. A breach occurred prior to an employee joining the company, but it is discovered while he or she is employed, so he or she is held responsible. Or a breach occurs that the team has no visibility into, same situation. On top of that fear of being fired at any time, security employees are typically on call 24/7. There may be a round-the-clock SOC or similar, but the security engineer still has to be contacted for certain events. If that weren’t enough, teams are usually left without adequate support from management to get the vulnerabilities remediated, are understaffed (running a team of 8 when 12 may be sufficient), and do not have the proper tools to track remediation from start to end and hold system owners accountable for patching or remediation. So, we’ve got a bunch of security personnel who are over stressed, over worked, and many of whom are on the market for a new job promising less stress. Losing security staff is another way for companies to lose time and money - it takes on average 3-6 months to fill an open position in cybersecurity, depending on the role level. In addition, it takes time for the replacement to learn the position - another 3-6 months.

We could talk a lot about the problems here, but what can we do to fix them? It may be tempting to do so, but don’t blame the security team unless it truly is the team’s fault. Security teams are told to assume the company has already been breached and they need to keep the threat from achieving its goal. With that mindset, teams being tasked with preventing a breach have already failed even before starting.

What can we do?

Most often, either exploiting known vulnerabilities or phishing (or other social engineering practices like vishing, over the phone, or smishing, over text message) are the cause of a breach. Many published vulnerabilities also have published guides on how to exploit them, making it fairly easy to compromise the system. Social engineering techniques are getting more advanced, so end users need to stay on top of current techniques of threat actors. Keep systems patched and keep users trained on a regular basis.

Aside from the discussion above, we all need to rethink how security is handled. We need to find innovative ways of handling security. We need to take security seriously and maintain a strong security posture across the whole business. If even one device is not properly maintained and patched (like that server under the desk everyone forgot about), the bad actors can take over an entire network. If you are not sure of the best course of action, call in some professionals. One somewhat new concept, zero trust, is being implemented all over to help improve security postures.

Zero Trust

Zero trust architecture (ZTA) is essentially the idea that a network should not have any trust between devices. Rather than having an internal, “trusted” network and an external, “untrusted” network, we have distrust of all devices attempting to make a connection. Various aspects of the connecting devices play into how much the device trusts that connection. Is the device connecting from a strange IP address or has it connected from this IP in the past? Is the user authenticated and is this a typical user to make the connection? Is the connection being made at an unusual time? All of these questions can be used to determine the level of trust placed the connection. This helps to prevent attackers from compromising a single point in the trusted network and taking over everything. Implementation can be a long and complicated process, but it’s possible and it will help. Is it a perfect solution? No. But, it’s a much better way to prevent evolving threats than a traditional network setup.

Next Steps

Do you have questions about anything stated here? Our team would be happy to provide a free assessment to help you navigate improving security within your company. We know how complex the needs of companies can be. So, if we are not able to help, we can help find someone that can. Contact us today!