There is a very well-known quote that says there are two types of organisations, those who know they have been hacked and those who don’t. With every passing year, the threat landscape in cybersecurity is changing dynamically. The sophistication, complexity, intensity and frequency of cyber security threats is increasing on a daily basis. The response to the changing threat landscape is also dynamically evolving. There is a larger focus now on securing endpoints from both traditional and advanced threats.
When it comes to the business, it has been found out that many firms end up repeating the same mistakes while securing their end-points. They ignore human error, follow poor security culture and mistake compliance for hygiene. The roots of all these issues can be basically traced to the mindset. The new threats and threat actors need to be fought with new techniques based on new thinking and new mindset. The three mistakes are discussed in details as follows:
1) Ignoring Human Error
Most of the businesses ignore human error because the security teams tend to mostly recognize only old-school threats that identify external threats as major ones and ignore internal threats. The situation has changed completely. As per a report published by Intel Security, 43%of data breaches were caused internally. Half of these internal breaches were accidental caused by poor security hygiene, while the other half happened because of deliberate malicious intentions. The security professionals need to bring a complete shift in the thought process. It is important to tackle the external threat but the internal threat should not be ignored to oblivion. Instead it should receive equal attention.
2) Poor Security Culture
This is another problem identified in the businesses that suffer breach. People think that using an anti-virus and a firewall gets their job done. However, this is not the case. Gone are the days when an ordinary virus was the main concern. The situation has changed now. The cyberspace is infested with malware like ransomware, hybrid malware, and deadly Trojans. On the other hand, the hackers are now using advanced techniques like spearphishing that target the fallacies in cyber habits of the people. Unless people don’t drive their culture through cyber awareness, the endpoints won’t be secure. A new thought process is now taking shape in the altars of cybersecurity that recognizes people who use endpoint devices as part of the endpoint. Therefore to improve cyber defenses, organizations should focus on removing vulnerabilities from both individuals and the devices.
3) Equating Compliance with Security
In previous decade, a lot of rules and regulations related to data security implementations have been standardized. There are many regulations such as Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI-DSS) that organizations must comply with. If they don’t, they will be subjected to fines and penalties as per law. Now, the problem lies in the fact that most of the organizations think that once they have complied to these standards, they are safe and secure and need no extra security. Moreover, organizations follow compliance only to the brim i.e. only to the level that makes me rules compliant. They don’t go the extra mile that makes them secure. The organizations need to not confuse security with compliance. Both have their own importance. Compliance should be used as a base to build a stronger security framework and not the security in itself.