The top cybersecurity mistakes companies are making (and how to avoid them)

There's not a one-size-fits-all approach to cybersecurity. Learn some of the common mistakes and how you can get on the right path.

Skull and crossbones made from yellow cubes 3D rendering

gonin, Getty Images/iStockphoto

Cybersecurity is increasingly important as more and more attacks happen all the time, leaving organizations scrambling for solutions. How can you keep your company safe from attacks and the resulting financial losses?
 
I discussed the topic with Alex Manea, chief security and privacy officer at Georgian Partners, a North American venture capital firm that invests in growth-stage companies using artificial intelligence and machine learning technologies to solve business problems.
 
SEE: How to become a cybersecurity pro: A cheat sheet (free PDF) (TechRepublic)
 
Scott Matteson: What mistakes are companies making in cybersecurity?

Alex Manea: One of the worst things that you can do is to try and stop every single attack, but that's a fairly typical mistake. 

It's critical to understand that perfect cybersecurity is a goal you must always strive for, but ultimately will never reach. Make sure you understand your organizational constraints — be they technological, budgetary or even political — and work to minimize risk with the resources that you're given. Think of cybersecurity as a game of economic optimization.

On the other hand, you also don't want to make the mistake of "locking the door and leaving the window open." Don't dedicate the bulk of your cybersecurity resources toward addressing a single area or deploying a specific technology. 

When you're addressing security risks, think in terms of severity and likelihood. While you hear a lot about high-profile cyber attacks like Stuxnet — complex, multilayered attacks executed by elite hackers working for nation-state entities — the majority of cyber breaches are much more mundane. In fact, you're much more likely to get hit by something like WannaCry , a relatively simple piece of ransomware that caused $4 billion in damage. It used a publicly known Windows vulnerability that Microsoft had patched months before, but that many companies hadn't yet deployed.

Start by sitting down with your team and asking if they have a holistic, end-to-end threat model of your business. Encourage them to think about it from the point of view of a hacker: What would they want to achieve and what's the easiest way to achieve it? Once you've identified your crown jewels and the path of least resistance, focus on adding economically efficient obstacles to that path.

"If you haven't already established a good cybersecurity architecture to oversee (security implementation), there's a high likelihood you're going to be breached. The best defense is to start thinking about cybersecurity as early as possible."  Alex Manea, chief security and privacy officer at Georgian Partners, a venture capital firm that invests in growth-stage companies using artificial intelligence and machine learning technologies.

Many companies are also overlooking the need to apply penetration testing to your own environment to see how hackable you may be.  If you don't have the necessary resources internally, hire professional penetration testers. They look for unpatched software vulnerabilities, test your firewall settings, attempt to install malware on your endpoints, conduct SQL injection attacks on your web properties and use targeted phishing campaigns to try and get inside your network. Test your cybersecurity at least once a year, taking the necessary steps to prioritize and fix vulnerabilities that are identified.

Finally, don't kick the can down the road when it comes to implementing security in your product or service. It should be "baked in" throughout the process. 

If you haven't already established a good cybersecurity architecture to oversee this, there's a high likelihood you're going to be breached. The best defense is to start thinking about cybersecurity as early as possible. That includes drafting a security policy, putting incident response mechanisms in place, and most important, assigning responsibility to one specific employee or team of employees. Keep in mind that if everyone is in charge of cybersecurity, then in effect no one is in charge.

Cyberattacks are getting increasingly sophisticated with the potential to cause greater harm in an increasingly complex digital world. The good news is that it's never too late to fix a mistake.

Scott Matteson: What are companies doing right?

Alex Manea: There's a lot to be said for getting started, and many have done so. The longer companies put off investing in cybersecurity, the harder it becomes when they are inevitably forced to tackle the issue. The constant stream of high-profile data breaches is quickly turning cybersecurity from a nice-to-have to a must-have.

To do this yourself, start by building a threat model. Think like a hacker: where would you start if you wanted to access the most valuable assets in the company? Follow the path of least resistance, and put effective obstacles to make it more difficult to tread. You can never ensure that you won't get hacked, but you can make it difficult enough that most hackers simply move on to easier targets.

Once this is in place, make sure that cybersecurity is not a one-and-done task. Keep the conversation going by making cybersecurity and the potential risks a regular board-level discussion.
 
Scott Matteson: How should companies educate their employees?
 
Alex Manea: The most effective way to change your employees' behavior is through actions, accountability and cultural change. The most important message to get across is that you take security seriously as a company, and that everyone is responsible for it. Make sure your actions, processes and systems support and reinforce this message; most employees are very quick to detect and respond to perceived hypocrisy.
 
To ingrain security in your culture, make it ever-present. You can do this by including it as an agenda item on every major meeting and by making employees accountable for the security implications of their decisions. Recognize and reward good practices, and assess security thinking in business strategy, culture, hiring, and promotion.

Scott Matteson: What systems or processes should they put in place?
 
Alex Manea: Start by following the fundamental principles of least privilege, decentralization and redundancy.

  • Least privilege means never granting access to more resources than are required to complete the task. This is true for software, but also for human-based systems such as granting physical access to an office building after hours. 
  • Decentralization applies to both human processes as well as to software architectures. When two individuals are required to approve a financial process or to add a user to a software system, a human process is decentralized. 
  • Finally, use and provide services that build in redundancy. This means that multiple instances of your environment are made available to reduce the likelihood that an attacker can disrupt your services entirely.

When things inevitably do go wrong, learn from each incident by investigating and uncovering the root cause. Finally, draw up a remediation plan and practice using it so that you can recover quickly.

Scott Matteson: Should there be a form of penalization for ignoring cybersecurity rules?
 
Alex Manea: As much as governments and regulators may try to police cybersecurity, the ultimate judge, jury and executioner is the hackers themselves. The reputational damage of a serious breach can be a substantial blow for a growing company and will be used by competitors to cast doubt over your ability to handle sensitive data for years to come.
 
Remember that cybersecurity decisions have long-term, latent effects. The reason we're seeing so many large-scale data breaches today is because of decisions made five, 10, or even 20 years ago. That means the decisions you make today will ultimately determine how safe you are in the future.

Scott Matteson: How should IT and security departments try to automate cybersecurity?
 
Alex Manea: One of the most effective ways to automate cybersecurity is to deploy a Security Orchestration, Automation, and Response (SOAR) product. This new market segment has emerged over the past few years to solve a problem that nearly every Security Operations Center (SOC) faces: How to deal with the overload of signals from different security solutions and understand the full lifecycle of security incidents. An effective SOAR platform can help you effectively manage your security operations end-to-end, automate the most common tasks and give you full visibility into your environment.
 
Scott Matteson: What is the ROI on cybersecurity solutions?
 
Alex Manea: Most people think of cybersecurity ROI in terms of reducing the risks of cyberattacks and large-scale data breaches, but that's just the tip of the iceberg. The real ROI comes from building a strong, trusted brand with your customers, giving you a measurable competitive advantage and improving customer acquisition and retention.
 
Cybersecurity is just one piece of the trust puzzle. Start by having proper accountability in your organization, build a strong cybersecurity architecture, protect customer privacy, ensure fair business practices, build a reliable system and be as transparent as possible. At Georgian Partners, we believe that companies who differentiate on trust will outperform their competitors over the long-run, and we put our money behind this fundamental thesis.

Also see