Application Security , Articles and Insights , GDPR , General Data Protection Regulation (GDPR) ,

4 Dangerous Security Assumptions to Avoid

By Michelle Drolet
2 Nov 2018

Many organizations take steps to guard against data breaches, employing new policies, tools and strategies that make them feel protected, but their defenses may not be as strong as they think. Unfortunately, this false sense of security is all-too-easy to come by.

Data breaches are commonplace now and there’s a growing realization that organizations need to do more to combat them and to deal with the aftermath. The potential cost of stolen data extends beyond cleanup operations to potential regulatory fines and reputational damage. Although there’s more awareness of the risks today, taking the right, comprehensive steps to safeguard data is harder than people imagine.

It’s not unusual for companies to start out in the right direction but fall short in their efforts because one specific area is overlooked. Achieving a high standard of cybersecurity requires a thorough, holistic view of the risks and a robust, continuous effort. The truth is that many organizations do one or two things right and then put their feet up, content to bask in the warm, but erroneous sensation that they’re safe.

The risk isn’t that big

Smaller businesses are incredibly good at this kind of wishful thinking. They may assume that bigger companies are more attractive targets, but the truth is that cybercriminals favor the path of least resistance. If you shirk security, you’re the low-hanging fruit. One of the most shocking things about basic security hygiene is just how many companies ignore it completely.

The idea that your data isn’t that valuable or desirable to hackers is another risky way to think. A breach may lead to resource hijacking, whereby attackers are using your servers to host pornography or maybe subvert workloads to mine cryptocurrency. If you think you’re immune as a target, you’re kidding yourself.

There’s no need for some big criminal gang to decide to attack you either, a lone novice hacker can buy or rent sophisticated tools on the dark web and wield them effectively without having to understand how they work.

We’re already in compliance

It’s obviously vital to ensure that you comply with regulations like the GDPR and the incoming CCPA, and many industries have their own sets of rules and regulations to safeguard different kinds of data. Failure to adhere to these regulations can lead to punitive fines. While there is some skepticism about how willing regulatory bodies are to hand out major fines, it’s not something you want to put to the test.

Complying with these rules will encourage you to adopt better security standards and more comprehensive, robust incident response plans, but it’s no guarantee that you won’t suffer a data breach. Compliance is unequivocally a good thing, but don’t fall into the trap of equating it with security. It’s also important to remember that compliance isn’t a checklist that you tick off and forget about; it’s a commitment to a standard and it requires constant renewal and consideration.

Too many companies, perhaps having paid consultants to come in and get them compliant in time for the deadline, believe it’s something they no longer have to think about. But they’re wrong.

We have trained our staff

We’ve talked about how important it is to institute a good security awareness training program and to keep an eye on your employees, but this is another security step that too many people think you can complete once and forget about. A proper training program should evolve over time and be a regular part of your employees’ schedule.

Another major mistake many organizations make in this area, is that they don’t test whether the training they’ve provided was effective. It’s crucial to test your employees with mock phishing emails or social media messages to see if they respond correctly. The results must drive some action. Failure should prompt further training, but repeated failure needs to lead to disciplinary action and even dismissal in severe cases.

You can’t turn a blind eye to staff members repeatedly failing to meet your security standards. Your security strategy is only as strong as its weakest link and it only takes one employee to erode your efforts.

We’re covered by cyber insurance

This is a common statement that makes people feel more secure than they should, but there are a couple of reasons why it’s dangerous. This is such a new area of liability that many of the people selling and buying these policies don’t really understand what coverage is required. It’s all-too-easy to assume that you’re covered for a specific eventuality only to find out during the claims process that you aren’t.

The best insurance drives good behavior to reduce risk, but the depth required to do that in cybersecurity is often lacking right now. The policy might dictate you have a firewall, for example, but not how that firewall is configured. Misconfiguration is such a common entry point for an attacker that it really needs to be part of the consideration here.

As it stands right now, you shouldn’t be assuming you’re safe simply because you have a policy in place.

The last word

This is by no means an exhaustive list of the things that can lull you into a false sense of security about the threat of data breach, but you should certainly look at these four myths. The key thing to take away is that a successful defense against data breaches requires commitment and continuous effort.

 

This article was originally posted on CSOOnline >