Cyber_Mistakes.jpgRead through your Twitter feed or turn on the news on any given day and one thing is evident: cyber attacks are happening in every industry and organization size. It is obvious that these attacks are increasing in number and sophistication, and we’re confident in stating that this trend will continue.

Developing a cybersecurity strategy can give your organization the foundation and mandate to develop good policies and procedures for improving resilience. In developing that strategy, these are the five most common mistakes that you absolutely cannot afford to make:  

  1. Focusing too much on perimeter defense. For the earliest stages of a breach, the question is no longer “if”, but “when”. Sophisticated attackers will compromise your first lines of defense: employee workstations, email accounts, and Internet-facing services. While it is important to place defenses along the perimeter, you cannot neglect attention on what happens once an attacker gains access to your network. Can you prevent the attacker from moving around to more sensitive parts of your network, causing significant damage? Modern networks require more than one layer of defense to adequately protect your data and computing resources.
  1. Focusing too much on prevention instead of detection and response. An initial attack takes minutes. Discovery and response takes weeks or months. A recent study came out highlighting that it takes an average of 256 days for an attack to be identified. This is entirely too long. A cyber attack is not always obvious, therefore, your organization must have a strong effort to detect and respond.
  1. Focusing only on being compliant. Compliance does not ensure protection from all threats – it is just a minimum requirements baseline. Mandatory regulations are designed to protect customer and financial data. As technology advances and your organization continues to grow, a compliance mindset puts your organization at risk. To protect your customer data, sensitive corporate data, operations and reputation, you must go beyond compliance and take an offense-oriented approach.
  1. Failing to understand the difference in penetration testing and vulnerability scanning. These offense-oriented cybersecurity services are often not clearly defined by those who offer or procure them – which creates confusion. I often speak with clients who have purchased an automated test from a vendor that called it a ‘penetration test.’ What they are actually getting is a vulnerability scan, not a penetration test. These two services, however, are very different in the complexity and depth of vulnerabilities that they test, in the talent required to execute them and in the report that will ultimately be delivered.

When penetration testing is manually performed by humans emulating the persistent, aggressive actions of true attackers, the results far exceed what most of today’s  automated vulnerability scans provide.

Check out this recent blog series by our director of cyber operations, Wesley McGrew, on the differences in these services and why it matters: Vulnerability Scans and Penetration Tests: What’s the Difference?

  1. Not treating cybersecurity as a business risk. Many organizations look at cybersecurity as an IT issue. Cybersecurity is much more than an IT issue. The more connected we become, the more dangerous cyber criminals are to your organization. Using sophisticated techniques, attackers can steal not only your customer or employee information, but also your intellectual property, trade secrets, and more. Beyond that, attackers can transfer over to the physical world by gaining control of physical assets such as door locks, HVAC systems, phone systems, scanners, and more.

Make no mistake—cybersecurity is one of the biggest risks to your business today and one that needs to be taken extremely seriously from the top down.

Our team will be speaking on these mistakes and providing advice on protecting your organization at the MS CPA Banking and Finance Conference on August 25th and the NE Mississippi Financial Planning Association Annual Symposium on August 24th. We encourage you to join us!

  Subscribe to HORNE Cyber Blog

COMMENTS

THIS POST WAS WRITTEN BY Mike Skinner

Mike is the partner in charge for HORNE Cyber. His primary focus is to enable clients to fully leverage technology innovations by providing the insights critical to safeguarding their business, customers’ critical data and brand reputation. He is responsible for information technology audit, regulatory compliance, information security consulting, internal control consulting and business solution implementation.

Find me on: