Three Hard Truths About Organizational Cybersecurity

Featured Post

Three Hard Truths About Organizational Cybersecurity

In recent years, many business and IT decision-makers have missed key opportunities when it comes to essential organizational cybersecurity practices - from not properly segmenting networks and not deactivating unused accounts (or protecting them with multi-factor authentication), to not implementing proper password security controls. As a result, organizations are increasingly falling victim to costly and damaging data breaches, replete with the associated disruption to operations and issues with both legal and public relations departments.

One reason for this is that organizations are not applying the same logic or method as they would for other business decisions. Non-technical members of the C-suite often treat cybersecurity like a vending machine: Insert money into the machine, security tools come out, and the organization is secure. This omits a crucial step - a systematic analysis of why these purchases are being made (or not being made).

When the organization is inevitably breached, the reaction is to spend more money on new tools, replace the security staff, or both – again, with no systematic analysis of why these steps are being taken. Spending more and more money is not always the answer. Instead, improving cybersecurity decision-making requires a shift in mindset, and this includes recognizing some hard truths. Here are three major ones, along with how to address them.

There is no "magic technology" that will prevent all cyberattacks

Unfortunately, there is no such thing as 100% protection against cyberattacks. Beware of vendors who claim that their product will make your organization impenetrable.

Does that mean you should do nothing? Of course not. Seatbelts don't prevent 100% of auto accident deaths, but we wear them because they make it far more likely that we'll survive a crash. 

Instead, organizations must take a holistic approach to cybersecurity. Naturally, this will include the latest tools and technologies, but it must also include the basics such as securing employee passwords. Weak and compromised credentials are responsible for over 80% of successful data breaches and about 75% of ransomware attacks. Meanwhile, Keeper's research has found that almost half (44%) of employees reuse passwords across personal and work-related accounts. More must be done to educate employees on the importance of basic cyber hygiene to tangibly reduce the likelihood of an attack.

While securing employee login credentials won't make your organization impenetrable, it will significantly reduce the chances that a threat actor will breach your defenses.

Financially starving your cybersecurity program doesn't work – but neither does throwing money at it

In 2020, research conducted by Ponemon and commissioned by Keeper Security found that less than half (45%) of global IT decision-makers feel that their organizations' IT security budget is adequate for managing and mitigating the cybersecurity risks caused by remote work. 

Two years later, four out of five organizations plan to increase their cybersecurity budgets.

At face value, this may seem like a good thing. However, we've frequently observed organizations blindly spending money on quick fixes that are often ineffective at reducing cyber risk. 

Cyber risk reduction is rooted in sound decision-making. Before purchasing software or hiring more IT security staff, ask yourself what your organization is trying to accomplish from a security perspective. Make sure your security dollars are helping you cover the four primary pillars of cybersecurity: prevention, detection, remediation, and response.

Sacrificing security at the altar of usability isn't wise, but neither is doing the opposite

When the COVID-19 pandemic forced organizations to enable remote work on a massive scale, and do so virtually overnight, security frequently took a backseat to user access and productivity. The result was a massive surge in cyberattacks as threat actors took advantage of the perfect storm of confusion and lax security protocols.

Ignoring security is a recipe for disaster, but implementing security tools that are time-consuming and difficult for IT staff to maintain, and for end users to use, creates a new set of problems. If a security tool is too hard for employees to use, they'll seek ways to bypass it, not because they don't care about security, but because human behavior favors convenience. Striking a balance between effective security and efficient usability is challenging. Deploying a smaller set of simple but powerful tools will do a lot more to reduce cyber risk than deploying a dizzying array of complicated security solutions that employees routinely bypass.

Summary

The distributed work revolution has demolished the concept of the network perimeter and made organizational cybersecurity more challenging than ever. By focusing on cybersecurity outcomes instead of "magic technology," and realizing that security is about strategic risk reduction, organizations can dramatically reduce their cyber risk while ensuring usability and productivity.

Keeper's zero-trust and zero-knowledge password management and cybersecurity platform provides organizations with total visibility and control over employee password practices they need to successfully defend against the most common attacks. IT administrators can secure, monitor and control passwords and secrets use across the entire organization, both remote and on-prem, and set up and enforce 2FA, RBAC and least-privilege access.