Most people believe cybersecurity is highly complicated, ever-changing, and technical. They’re not wrong.
But for all the complexity around cybersecurity, our cybersecurity experts say it’s often the most straightforward security problems that cause clients the most problems. Why? Because these “simple” problems strike at the company’s core beliefs about its security efforts. Get those wrong, and you put your whole enterprise at risk.
During a recent episode of The Cybersecurity Crowd, a panel of our virtual Chief Information Security Officers—Darrin Maggy, Lexie Nelson, and Nicholas McCourt—got together to discuss the most damaging misconceptions companies have about cybersecurity and how to solve for that. Here’s what they had to say.
Cybersecurity Mistake #1: Believing you’re too small to be a target
Large-scale hacks can still happen to small companies. They can be a rich target for hackers, as many smaller companies neglect to invest in the cybersecurity protocols that can keep them safe. According to Verizon’s 2021 Data Breach Investigations report, 46 percent of all data breaches occur at companies with less than 1,000 employees.
“Every company suffers during a breach, but small companies suffer more,” said vCISO Nick McCourt. “They don’t have the resources to pay large fines or deal with the fallout to their customer reputations. Fortunately, smaller companies these days can get enterprise-grade cybersecurity tools at a price that’s scalable to their business. The key is knowing where your gaps are, setting up a strategy, and maintaining, patching, and mitigating from there. A small business can be just as protected as a bigger one, with the right help.”
Cybersecurity Mistake #2: Allowing management to think of cybersecurity as a “technical” problem
Cybersecurity is everyone’s job. Our panelists stressed that companies must have a company-wide strategy for addressing the risks because the threats can come in from anywhere.
“All it takes is one person thinking the rules don’t apply to them,” said vCISO Lexie Nelson. “I’ll give you an example. You have a high-ranking executive going toconference in another state. They ask for permission to work outside your protected channels, opening your systems to every kind of hack. They don’t think it’s a big deal because there’s no company-wide commitment to cybersecurity. Every time you make an exception for an executive, or a vendor, or a part-timer, another hole opens in your security.”
vCISO Darrin Maggy said one of the best ways to build a culture of cybersecurity awareness is to have regular company-wide security awareness programs. “I’m a big fan of three-to-five-minute monthly training modules,” Maggy said. “This keeps the burden relatively small and guarantees succinct messaging that resonates with folks. Combine that with regular penetration tests and phishing simulations, and your employees can turn from a cybersecurity liability to an asset. They can become an extra set of watchful eyes that can catch hacks that slip through the cracks.”
Cybersecurity Mistake #3: Failing to address objections and fears about cybersecurity
When you fail to educate your people about cybersecurity, they approach your safeguards with suspicion and fear.
“I’ve seen plenty of users when they first start the security awareness training where they freak out, especially after failing, and they’re like, oh my God, the security team is gonna block my account and I wont be able to do anything anymore,” Nelson said. “But we’re saying—hang on, we just want work with you. We want to ensure you understand the component in the con, so you just don’t become a happy clicker and click on everything, or you don’t supply your credentials to everything under the sun. These protections allow you to enjoy the internet and your work tools more, not less. Helping people understand that in your organization is key.”
Cybersecurity Mistake #4: Thinking you can “bolt-on” your security on top of what you’re already doing
Cybersecurity is not any one tool or set of tools. According to our team, it’s a philosophy—a way of looking at your systems that bakes security into the root of all your IT infrastructure decisions.
“Let’s say you go out and see a great new app or program you want to implement. It’s nice and shiny, it looks good, and the salesperson says it will integrate just fine with your business,” McCourt said. “You buy the tool, and come back to IT, and can’t understand why your cybersecurity experts are suddenly balking at it.”
The trouble, he added, comes from not checking with them first. Your CISO or your information security officer needs to vet everything that runs on your systems to ensure it’s up to your cybersecurity standards. Fail to do that, and there’s a good chance you’ll be wasting time and money in the end.
“Your security team comes back and says hang on—how bad is the agreement you just signed to buy this tool?” McCourt continued, “Because, by the way, this tool is hosted out outside of the country. Now suddenly, you can’t work with certain vendors or clients because your tool is hosted in a country outside the US or Europe. It’s a problem because there are often regulations and laws against that. There are a lot of reasons why a new add-on could be bad. It’s best to consult your security experts during every stage of the vetting process. They can help you pick cybersecurity tools that will be an asset to your organization and part of your holistic security strategy. It might even win you business in the end.”
Cybersecurity Mistake #5: Doing a penetration test too quickly
A penetration test involves white hat hackers attacking your system to find its weaknesses. It also may include phishing tests sent to your employees to see if they are vulnerable to typical schemes. A penetration test is a tremendously effective tool and invaluable in crafting a cybersecurity policy. But doing them too soon can come at a cost, according to McCourt.
“Penetration tests are a waste of time until you have a security posture in place. It won’t work. You can’t walk in and say, I don’t have phishing simulations. I don’t have security awareness training. I don’t have vulnerability management. I don’t have patching, but I want a penetration test. There are so many good organizations out there that do excellent penetration tests. Unfortunately, they are often called in to do or perform an assessment on an organization that isn’t ready,” McCourt said.
Instead of looking at penetration tests as a cure-all, McCourt recommended starting with a thorough assessment. A penetration test should only be performed after the recommendations from the assessment have been implemented. “Then you’ll know you’re doing a real test. A penetration test helps you correct for the small gaps in your security. But it’s not what you do when you’re on square one,” he said.
Cybersecurity Mistake #6: Not having written standards
Companies often neglect to have written standards and policies around their cybersecurity. Why? Because dozens of them are usually needed, covering everything from equipment management to backup procedures, admin credentialing, remote work policies, and so much more. But it’s well worth the effort.
“Once you’ve pulled the governance together, you begin to shift the organization’s culture,” Maggy said. “Having your procedures and policies written down is a big part of that effort. It keeps your cybersecurity from being a siloed effort operating off on the side. It simply becomes intrinsic to the way that everybody goes about their workflows and goes about their business,” he added.
Maggy noted this is one area where having an IT vendor with managed security service provider (MSSP) capabilities like Integris can help. These vendors will not only have senior-level cybersecurity strategists on staff who can write policy, but they’ll also have a trove of documents they can pull from. What would take your internal IT manager months to write can be done in weeks. With existing in-house templates, they have a big head start on knowing what to write, how to integrate your policies, and how to handle compliance reporting.
Want to know more?
Integris has a deep bench of vCISOs and an extensive vCISO program that can be added to existing or new MSP contracts. We’d love to talk to you more about what we can do for you! Contact us today for a free consultation.