In 1453, Constantinople fell in one of the first documented uses of massed heavy artillery. When the time came to rethink a thousand year defense strategy, Constantine did not recognize the significant changes to the threat. When it comes to modern cyber security, companies need to rethink their defenses far more often.
But according to the Cyber Ark Global Advanced Threat Landscape Report 2018, companies by and large have stagnant approaches–among the survey findings:
- A whopping 36 percent of respondents knew of employees storing usernames and passwords for privileged accounts in Word or Excel documents
- The number of firms granting workers administrative permissions to endpoint devices increased
- The percent of users in those companies who had admin rights increased 25 percent from 2016
- Half of the respondents recognized customers’ sensitive private data is at risk due to security controls not going beyond basic legal requirements
I know of one company whose auditors instruct clients doing annual IT compliance certifications that if a security measure is unchanged from the prior audit, just enter “SALY” (same as last year). You won’t find too many experts who believe the threat environment will be the same as last year though. So how does a company break out of the cyber security inertia trap?
Forbes magazine contributor Christie Terrill recommends reviewing and changing your IT security strategy whenever the context of your IT operation changes, including changes in user behavior, paying most attention to devices and nodes that are least in control of the organization. She says Internet of Things nodes are most problematic. While it’s true cyber security core tools such as firewalls, two-person authentication and intrusion prevention systems, are relatively unchanging, how you apply them and how you approach risk management should be reviewed. And that, with the speed of technology evolution, needs very much to be an ongoing endeavor.
Good detective work, when any system fails, usually includes asking the question “what changed”. Reviewing strategy as your IT environment changes can keep you out of the post mortem detective work and better employed focusing on refreshed prevention and risk mitigation efforts instead.
Please contact us at Wheelhouse to talk about a cyber security checkup, or to explore any of our varied managed IT service offerings.