The cybersecurity landscape continues to become more complex as hackers invent new ways to exploit organizations and their data. As business's technology architectures become more complex, IT organizations struggle to keep pace with them, often leaving the door open for breaches.
The Equifax hack was a good example of that because one, single patch (software update) could have saved 145 million Americans unnecessary angst.
Hackers expect to discover that software has not been updated in a timely fashion or that the software itself has security flaws. They count on outdated identity and access management mechanisms and easy-to-remember passwords.
Social engineering is also a popular tactic, because it's efficient. Why try to guess someone's password when the person will hand it over willingly on Facebook or over a cocktail at a trade show? Phishing (fraudulent emails) and spear phishing (fraudulent emails targeted at particular individuals) are very effective, mainly because so many individuals have not yet been taught how to think critically about the communications they receive.
The common thread that runs across all of these scenarios is that humans are to blame. Humans are the ones inadvertently designing security holes into their products or failing to update software. Employees, including IT personnel, are saying things and clicking on things that should be avoided.
People are not making these mistakes intentionally most of the time, but that doesn't matter. There are gaping holes in just about every company's security fabric that need to be addressed.
What AT&T’s 2017 Cybersecurity Survey Says
AT&T's 2017 Global State of Cybersecurity survey reveals some gaps that are exposing companies to risk. For example, 25% of respondents said their organizations seem to think cyber insurance is a viable substitute for cyber defense investment. While cybersecurity insurance is prudent these days, it is not a substitute for cybersecurity itself.
The reality is, your network is going to be breached sometime by an internal or external actor. While it's a good idea to do as much as possible to keep unauthorized parties from getting access to systems and data, they'll get in nonetheless. Cybersecurity defense has to be fortified with cybersecurity offense. Regardless of what your cybersecurity strategy is, don't forget to encrypt your data at rest and in motion, and while you're at it, make sure the encryption key management mechanism isn't exposing you to risks you think are covered. That way, should a breach happen, you're not just handing over data.
The second challenge the survey identified was that two-third of respondents think their in-house cybersecurity capabilities are adequate against cyber threats, yet nearly 80% of their organizations have been breached in the last year.
Overconfidence is a poor form of security. Even companies that have vast security teams face challenges. The smart ones don't try to design, build, and deploy everything on their own. They're working with cybersecurity experts and vendors to plug the known holes and identify and fix unknown holes.
The third point is that 61% of organizations mandate cybersecurity awareness training for all employees, while more than half of survey participants admitted to breaches from employee devices with malware.
Training is important, but training isn't everything. If companies want to change the behavior of their employees, it takes more than training and mandates. The most effective way to change people’s behavior is to align their compensation and incentives with desired behavior. Few people read employee handbooks or a company's security policy, and even if they did, many would not change their behavior.
What’s Coming in 2018
More enterprises engage MSPs and MSSPs to help them with cybersecurity because they realize they are powerless to manage all the threats using in-house resources alone. Throughout 2018, you'll see more high-profile breaches and also more MSP and MSSP offerings designed to help organizations avoid or at least minimize those breaches.
If you're serious about cybersecurity, realize that "safety" is a moving target. 30 years ago, firewalls were supposed to stop hackers in their tracks. Today, the cybersecurity landscape is complex and getting more complex all the time to counter the effects of malicious and inadvertent actors. Ironically, as cybersecurity and technology infrastructures become more complex, they become more fragile, creating opportunities for new forms of breaches.
We believe – and you will see in 2018 – that some of the most effective cybersecurity mechanisms are simple, easy-to-use, and elegant.