8 Common Cybersecurity Mistakes - And How to Avoid Them
Streamscan helps companies deal with security incidents every day. So we see first-hand all the schemes hackers use to get into networks. We also get the see (repeatedly) the mistakes that organizations make, that leave their networks at the merci hackers.
Here are the TOP 8 cybersecurity mistakes companies make.
Mistake 1: thinking that an antivirus program and firewall are enough to secure your organization
Many IT specialists still think that an antivirus and a firewall are enough to protect against cyber attacks. In 2021, if your cyber defense strategy is based solely on your antivirus and firewall, buy bitcoins and get ready to pull all-nighters to respond to security incidents. Rather than launching blind attacks and hoping they will get through your firewall, most hackers today will exploit protocols and services that are allowed through corporate firewalls (web, email, etc.). The effectiveness of your firewall very limited in this type of attack.
As for your antivirus, with the explosion of cyberthreats (more than 1 million new malicious tools detected every day in 2020), it goes without saying that they are less and less effective. Assume that they will protect you against 25% of malicious tools.
Solution: Treat your organization as a coveted castle. You will need several layers to protect yourself, which is called the defense-in-depth strategy. Antivirus and firewall can slow down hackers or protect you from specific attacks, but that's where it ends. Other tools will protect you from other types of malicious activity that may target you.
Solution: the best thing to do is to start your cybersecurity strategy by doing a risk analysis. This analysis will allow you to identify all the risks that can target you, as well as the measures you will need to put in place to mitigate them. By doing this exercise, you will quickly realize that antivirus and firewall are no longer sufficient to protect you.
Mistake 2: Assuming that you will never be a target
Many believe if you get hacked, it means that you have an enemy who has decided to harm you. It’s common, following a security incident, a competitor or former employees become suspects, usually wrongly
In reality, 99% of cyber attacks are launched by bots that scan the Internet 24/7 to find a vulnerability, which they will then try to exploit. Unfortunately, if the bot comes across a vulnerable machine in your network, you're going to pay for it. And only takes about 5 minutes for a system connected to the Internet to start being scanned and attacked. In other words, no matter what you do, your systems will always show up on the bots' radar and these bots are owned by the hackers.r
Solution: You are constantly on the hackers’ radar. Any organization is a potential target. Once you accept this, the next step is to identify your security risks and make sure you put the necessary measures in place to address them. You can learn more about security risk analysis here.
Mistake 3: Not patching your software
In many of the intrusion cases we've handled, we've found that the hacker got into the network by exploiting a known security vulnerability (most of which have been around for years).
Remember the Wannacry ransomware that infected over 200,000 computers in 3 days in May 2017? That ransomware exploited the Microsoft MS170-010 vulnerability, a patch for which was available before the attack. One would have expected that such a high-profile vulnerability would no longer exist in organizations. Unfortunately, this is not the case. We still see this known vulnerability on servers.
The most common reasons given by IT teams for the lack of vulnerability management are lack of resources, time, and/or lack of cybersecurity expertise.
Solution: Security vulnerability management is crucial to keeping your network safe from cyberattacks. The more you fix them, the more you minimize our surface of attack. We recommend that you implement a security vulnerability management process to identify and fix existing vulnerabilities in your network before hackers find them and try to exploit them. You can use tools such as NESSUS, RAPID7, NEXPOSE, and OPENVAS to identify and fix security vulnerabilities. In addition to its ability to detect intrusions and malicious tools, Streamscan's CDS technology can also identify security vulnerabilities in your network, making it the ideal choice for a small to medium-sized business. Indeed, rather than acquiring, deploying and maintaining 1 tool for vulnerability management and 1 tool for cyber-attack detection, CDS offers you everything in one package. This not only reduces your costs but also allows you to proactively manage your security vulnerabilities: every time the CDS discovers a security vulnerability in your network by analyzing the network traffic, you receive an alert. With the above-mentioned tools, you have to run periodic scans, analyze the scan reports (tens or hundreds of pages) and identify the most relevant vulnerabilities to fix. This is difficult when you don’t have qualified internal resources.
Mistake 4: Not monitoring network security
From experience, many cyberattacks could have been avoided if organizations monitored the attacks that targeted them. Ransomware infection, data exfiltration, and fraud are nearly always the result of attacks that occurred in several phases. For example, hackers first scan your network for vulnerabilities, then try to exploit them, take control of your network, search for interesting machines or services in your network before infecting some of them with ransomware. This can take a few days or several months. Note that many of the current attack types (e.g. brute force RDP/VPN) make a lot of noise that is easy to detect if you monitor your network security.
Solution: Deploy an intrusion detection system (IDS/IPS/NDR) such as Streamscan's CDS to monitor your network security. These kinds of tools allow you to have a 360-degree visibility of your network and alert you in case of cyber attacks. Reacting to these alerts allows you to mitigate attacks and continuously enhance your network.
If you don't have in-house expertise to monitor your network security, the best thing to do is to outsource this activity via security monitoring services such as Streamscan's MDR.
Mistake 5: Seeing cybersecurity only from a technology perspective
Some companies think that installing security tools is enough to keep them safe from cyberattacks. In several incidents we have managed, companies had security tools in place and these tools generated alerts that weren’t addressed. It wasn't until investigations that these organizations realized that the attack could have been detected quickly if the security alerts were monitored and acted on.
Solution: Installing tools is important, but it's not enough to keep you safe from cyberattacks. You need to have processes and trained personnel managing your security. If you don't have the in-house expertise, outsourced services such as Streamscan's MDR are a good option for you.
Mistake 6: Assuming imaginary protection not provided by your technology
Another serious issue we’ve encountered is a type of magical thinking on the part of IT teams. For example, one IT manager was surprised that his SIEM was unable to detect a bitcoin mining attack (launched via shellcode). Another couldn't understand why his firewall wasn't able to block a data exfiltration. In his case, the data exfiltration was done via HTTPS, the very protocol allowed in his network. In both cases, IT managers assumed that these features should be part of the tools they were paying for, when they weren’t. Just as a SIEM is not designed to detect shellcode attacks, a firewall is not designed to detect data exfiltration.
Solution: IT teams should perform a security diagnostic of their IT environment. This diagnosis consists in identifying all the security risks that may target them, and then checking if the existing/existing security tools have the necessary features to detect/block them. Don't pre-suppose anything, check for yourself before the hackers make you regret having been negligent. If you don't have the expertise, don't do it yourself. Call a specialized firm that is used to doing this kind of verification. The security diagnostic will show you the gaps and prioritize the measures to be implemented to close the gaps. You can learn more about the security diagnostic here.
Mistake 7: Underestimating the cost of ransomware attacks
Many organizations imagine that the cost of a ransomware attack comes down to the amount demanded for a ransom payment.
In reality, the amount of the ransom is very small compared to the cost of recovery. According to the latest SOPHOS Cyber Threat Report, the average amount of ransom demanded from SMBs by hackers was US$170,404. The average total cost was around $1.85M, which includes: the ransom amount, downtime, salary paid to employees who cannot work due to the impact of the ransomware on the network, etc.
Many organizations also believe that if they have backups, a ransomware attack will have no impact and cost nothing. This perception is wrong, as restoring backups takes time and your services will also be interrupted for several days, which will only add to the overall bill.
Solution: Understand upfront how much security incidents, especially ransomware, can cost you. A simple exercise is to ask yourself the following question: how much will it cost you if your network is completely shut down for 1 week? (This is what might happen to you if your Active Directory domain controller is infected, which is common). Identify all the impacts and costs (salary payments, sales, IT costs to rebuild the network, impact on your image or reputation, etc.). Then add the average ransomware amount (US$170,404). The final total gives you a better idea of the consequences of a cyberattack. This information will be useful when setting your security budgets.
Mistake 8: Over-reliance on employee awareness without confirming its effectiveness
It's a well-known fact that humans are the weakest link in cybersecurity. So user awareness is one of the priority security measures to implement in an organization. Based on the recommended good security practices, companies educate their employees once or twice a year. After the awareness, IT teams assume that the message has been passed on and that, as a result, employees will be more vigilant. However, raising awareness does not guarantee that employees will not click on a malicious link.
Solution: Validate the effectiveness of your awareness campaigns. If you educate your employees once or twice a year, consider yourself at risk. New and more sophisticated phishing scenarios are appearing all the time. It’s important that after each awareness session, you conduct a test to identify which employees have clicked on bad links vs. those who didn’t.
We recommend that you educate your employees once a month. Identify the regular or compulsive clickers and offer them customized training. I
f despite this, some still continue to click, create a network segment for the “clickers” and connect them to this area. You should then limit communication between this area and the rest of your network (to the bare minimum required) so that if there is malicious activity, you limit the spread to the rest of the network. Remember, the hacker only needs one click to enter your network.
Need Help with Cybersecurity? StreamScan is Here.
Whether you need help conducting a security diagnostic, developing a security plan, or want to implement an MDR (Managed Detection and Response solution, StreamScan has experts with years of experience in cybersecurity who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.