Eighty-three percent of global businesses say their organizations face security risks because of complex business and IT operations, according to yet another damning enterprise cybersecurity survey. The report, released by the Ponemon Institute, also revealed that 74 percent of IT security practitioners believe employees don't take security seriously and are complacent with enforced security protocol. A full 71 percent don't think all employees are even aware of said security protocol.
In the past year, we learned that more than one billion Yahoo accounts were compromised, the Democratic National Committee (DNC) was hacked, and millions of Internet of Things (IoT) devices were victims of distributed denial of service (DDOS) attacks, to name just a few of last year's worst breaches. After what was perhaps the worst year for cybersecurity, IT practitioners say they feel insecure in their ability to protect their enterprises from a massive attack, according to the report.
Seventy-five percent of respondents don't believe their organizations are fully prepared to deal with the security risks resulting from the IoT. A similar number of respondents believe that an entirely new IT security framework is needed to improve security and reduce risk. Unfortunately, the complexity of running a global business is making it harder for companies to implement and control the practices and technologies required to maintain high-level security. Three out of four respondents say data is growing too fast, the addition of new partners is complicating network and application management, and a lack collaboration between IT and other lines of business is putting the organization at risk.
(Image via Ponemon)
What Needs to Be Done
These troubling figures, when coupled with an overwhelming number of respondents who say they have insufficient and improperly educated security staff, security-complacent co-workers, and an inability to enforce compliance, prove that we are dealing with an enterprise cybersecurity powder keg.
"Historically, [this lack of preparedness] has come from a lack of awareness," said Stan Black, Chief Security Officer at Citrix Systems. "But now you'd have to be living under a rock. When I saw these results, I was shocked."
Black said companies that are not prepared to secure their business should take a broad, four-step approach to rectifying the situation. First, they should understand that they have a problem. Second, they should understand the scope and scale of the problem. Third, they should bring in people—employees or third-party consultants—to help them understand what's happening and what needs to be done. And fourth, they should recruit the additional talent needed to properly maintain their technology.
When asked where he sees most of the companies with whom Citrix works, Black said they're on the third step: bringing in the talent, including companies such as Citrix, to help figure out how to solve security issues. He said companies are beginning to hire security-focused employees who focus soley on IT security rather than traditional IT operations so they aren't pulled into traditional problem-solving computing and networking tasks.
Black's main advice to organizations is to properly train existing employees and emphasize the importance of enforcing prudent computing practices. "You can train people to not click [on suspicious emails and links] instead of buying millions of dollars of anti-phishing and anti-malware software," he said.
But, even if your standard employee is cautious at every step, advanced security threats and emerging vulnerabilities will always be one step ahead of the general public—and they're significantly more damaging than simple employee error.
"At a global scale, it is clearly emerging vulnerabilities we should be worried about," said Black. "If a person makes a mistake, it can be contained. But the vulnerabilities can have true global impact [on anything from] commerce to travel to safety to everything you can imagine."
(Image via Ponemon)
Get Started Today
No matter how many employees you have or how much money you can dedicate to security, you can start your journey to better cybersecurity practices today. Begin by training your employees to avoid attacks. Keep your team up to date on the latest phishing and spam attacks, develop an acceptable use policy, offer password training, establish a system for reporting problems, develop a security-aware mobile device management (MDM) protocol, and offer remote access training.
Additionally, your IT departments should institute the following policies as soon as possible in order to stay safe in the new year: pay for premium cloud security, implement multifactor authentication (MFA), hire a security consultant to give your systems and audit and a full recommendation report, and revoke system access for all former employees.
For added protection, it's important to layer security tactics on top of one another. For example, you should build a web app firewall to protect your apps, while also implementing an endpoint protection solution to monitor the status of your computers and mobile devices. For a worst-case scenario, you can reinforce your entire network with a Disaster Recovery-as-a-Service (DRaaS) tool to continually back up critical systems and data should something absolutely horrible happen.