Security breaches have almost become the norm in the media these days, where millions upon millions of company records are either lost or predominately stolen by malicious actors on a regular basis. Yet we've almost become numb to the reports in the media and joke about when the next one is going to occur. So why is this happening so much?
Some examples include;
Human Error
Poor password hygiene (weak & default)
Social engineering
Permissions & privileges
System exploits
Poor patching hygiene
Lack of detection capabilities
The security industry is overwhelmed with new technology, ever changing cloud platform capabilities, regulatory compliance requirements, demands for data access across multiple platforms and over complicated architecture needs amongst just a few.
If you go back 15+ years where everything was on-prem, not just the data, but all the security tools as well, we sort of had a fighting chance to keep on top of it all. Now we're at the mercy of SaaS products releasing updates, renaming solutions, integrating with other vendors, and more importantly making everything overly complicated to learn and fully leverage. People are burning out just to keep up and there seems to be no end in sight.
Well aren't you cheery!!!
Don't get me wrong, I love what I do and wouldn't want to work in any other industry, but it seems we continue to struggle with the basics of;
Capability fatigue (multiple products doing things we don't use or need)
Too many decision makers (red tape & corporate politics to delay quick outcomes)
Integrating security people with the technical people (it's a team sport)
Maintaining a sensible approach to risk (can we / should we patch that server)
Keeping our security tooling up to date with the latest configurations
Maintaining an accurate Joiner / Leaver / Mover process
Engaging with the business and making security "engaging!"
Understanding what assets are on our estate
Minimising administrative permissions
Application deployment / patching
Knowing what externally facing assets we have
Knowing who can access what and being able to log those events
Ensuring sensitive data is encrypted at rest and in transit
Zero Trust (it should do what it says on the tin)
Example 1:
Bob has left the company with a laptop and still has access to sensitive data. He decides to download client names and data files for future use on to an external drive.
No one has disabled his account, nor has the ability to monitor for data leakage.
Example 2:
Sue is an Administrator of the company's identity system and often logs in from her own home PC to catch up on work. She doesn't realise a malicious actor has previously gained access to her PC through social engineering and manages to steal her session token, resulting in unauthorised access to the identity system.
The company has no controls in place to ensure such administrative tasks are only performed from authorised devices & locations.
Example 3:
A legacy system that should have been decommissioned and contains several exploitable vulnerabilities remains exposed to the internet. A malicious actor has gained access to the server and traversed across the network to install malware for data exfiltration.
The company has no visibility of their externally facing assets, so doesn't perform any patching, vulnerability assessments or decommissioning.
Remember, there is no Silver Bullet
The examples above are just drips in an ocean of challenges that many companies deal with on a daily basis. At the root of it all are the people. A combination of budgets, different priorities, risk management, red tape, interpersonal difficulties and more, result in security quite often being a whack-a-mole exercise.
But there are also the unsung heroes. People working incredibly hard to do their upmost and keep those environments up and running 24/7. It can be a thankless task, where no one appreciates you or knows your name until things go south.
So what's the answer?
Again every business is different, and that's what makes this industry so exciting and challenging. But what I would say is really listen to your experts and what they have to say. And if they struggle to get the important points across, how can YOU HELP THEM to better communicate the concerns and risks at a level that is understood by all stakeholders.
Let's be honest, most people who use IT systems for their job don't really care about security. I don't mean that in a bad way, but their priority is to do their job with the tools provided, not whether the emailed link they received is dodgy and why passwordless is way better than the One-time-password option we previously said was amazing. Nor do they care about what permissions they have to do a job and why the PC has to reboot for 20 minutes whilst it installs "critical" updates.
My personal goal is to keep it simple. Does your environment warrant the latest and greatest product(s) or do you just need to get the basics in better shape?
What minor changes can we make that will help you sleep at night without breaking the bank?
Comments