Dan Lifshutz | August 11, 2016
Modern cybersecurity is often referred to as an arms race. In one corner are the organizations seeking to keep their data safe in their data center or in the cloud. In the other are the cybercriminals and hackers who look at that data and see dollar signs. Just like with any race, this one can’t be won by standing still – yet some businesses seem to be doing exactly that.
While reading through Cisco’s Midyear Cybersecurity Report, I was struck by its findings on the continuing struggle to adhere to the basic principles of IT security. For instance, there are few things more fundamental than patching. Yet according to Cisco’s report, there’s a significant gap between when patches are released and when they’re actually implemented. That’s if they’re implemented at all.
In case you haven’t checked out the report, it includes a section where Cisco analyzes a large sample of core infrastructure devices, such as routers and switches. On average, each of these Internet-connected devices contains 28 known vulnerabilities. That’s troubling on its own, but it gets worse when you explore how long some of those vulnerabilities have been out in the open:
- More than 23% of the devices in the study were running vulnerabilities first identified in 2011.
- 16% of the devices had vulnerabilities dating back to 2009.
- Finally, and even more amazing, close to 1-in-10 had vulnerabilities over a decade old.
That’s a long time to allow vulnerabilities to go unaddressed. It’s tempting to put off patches or infrastructure upgrades, especially as seemingly more pressing projects surface. Continually doing so – especially to the extent Cisco uncovered – only serves to make life easier for those on the outside of a business’ network looking to break in.
Bouncing back from cybersecurity incidents
Arraya recently conducted a security study of our own which we believe dovetails nicely with Cisco’s Midyear Cybersecurity Report. The findings of our study will soon be available in a whitepaper that we call the 2016 Cybersecurity Tactics Snapshot. The objective of this report – which was compiled using input provided by attendees of this summer’s Arraya Tech Summit – was to look into what leading organizations in the Mid-Atlantic region are doing to protect their data. By sharing it, we hope other companies will discover new approaches to IT security and adjust their strategies.
Among the trends highlighted in our report, one of the most compelling involves organizations who’ve suffered a security incident in the past 12 months. Of the businesses who endured a breach, 62% said they currently review their security policies at least semiannually. Of that same group of companies, 46% review cybersecurity best practices with end users at least twice a year.
What about companies who haven’t been breached? In terms of those organizations, 38% review their cybersecurity policies and processes at least twice a year. Meanwhile, 31% of these companies say they never review best practices with end users.
To me, that is a clear indication of the post-data breach mindset. Organizations who’ve gone through an incident aren’t interested in standing still. Instead, they’re eager to invest whatever time and effort they feel is needed to avoid becoming a repeat victim of cybercrime. This includes assessing their environment and ensuring end users, typically a favorite target of cyber crooks, have the updated tools and training to defend themselves.
True security needs the right tools and support
Cybersecurity, as a discipline, is constantly in motion. It’s a never-ending series of adjustments between those on the security side and those looking to bypass them. It’s the aforementioned IT arms race. From the perspective of businesses, they can’t afford to stop adapting or attempt to stand pat with what worked before. It’s doubtful those on the other side have any plans to stand still either.
Having an environment stocked with the latest security tools goes a long way towards keeping data safe. Every modern cybersecurity strategy must also address the “little” things like routine patching, regular process reviews, and end user training. Putting these obligations off only serves to chip away at an organization’s security foundation. The accompanying refrains of “I’ll get to it tomorrow” or “I would have done it but…” are music to the ears of cybercriminals.