Still Vulnerable: Many Firms Security Practice Unchanged Since NotPetya and WannaCry
Two of the most economically disruptive ransomware collectively cost businesses millions in damages. NotPetya and WannaCry wreaked havoc across the globe and caused panic in the hearts and minds of business managers everywhere. Well, temporarily at least. Among cyber security professionals there was an expectation that these devastating attacks would be the wake up call the world needed. We regret to inform you this but several companies did not get the memo apparently. According to new research published by Tripwire, two-third of cyber security professionals believe their organizations have not made critical security improvements since the two global cyber-attacks.
One-third of respondents felt that determining what endpoints were on a network was the biggest problem. Others had concerns about vulnerability management, permissions issues, and audit log attention. Another 40% of respondents believed that businesses were failing at everything above, as opposed to just one problem. This apparently seems to be a problem for businesses small and large.
Security is still not a priority and is not being taken seriously. Perhaps this is a symptom of short-termism in the modern business environment. Security is a long-term benefit but it does not provide enough payback in the near future so cyber security always gets low priority, or the bare minimum required to simply exist. Despite the the abundance of information of the impacts of poor security practice, business looks the other way.
Tim Erlin, Vice President at Tripwire has stated that:
“…All it takes is one data breach or another WannaCry and your company has lost data, money, credibility and most importantly, customer trust, which is one of the most difficult things to recover.”
One of the upsides of the Tripwire’s survey is that 84% of the cyber security professionals who responded said that their company was looking for ways to invest in cyber security and risk mitigation. However this can be a slippery slope of bad security practice where the latest technology is invested in and thinking the company is 100% secure as a result. Cyber security is a practice that requires an examination of business processes, people, and technology. Only investing in one area will leave you wide open to attack.
The most ignored factor in security is that of the insider, the people. While a strong technology solution is important, insiders already bypass those daily for the sake of work. Some of the more recent attacks were only successful because of an insider, this was the case for Chipotle recently. Two of the most cost effective deterrents for this are user behavior analytics and security awareness training (education).
It has been said that only in times of crisis does serious behavior change happen. For those companies and organizations who were impacted by WannaCry and NotPetya the impact of poor security practice was not an abstract notion but an objective reality. International companies such as Fedex had operations brought to a standstill by NotPetya momentarily which cost them millions in lost revenue and damages. Even companies in the supply chain of an organization can become a threat if they have poor security practices too. Ask Target whose systems were breached through one of their small-business vendors.
No organization is too small or large to be attacked. When it comes to cyber threats, it is not a matter of if but when. Proactive action on things always saves money and headache in the future. Cyber threats are growing increasingly dangerous day by day, make sure your organization does not fall victim to this.