Is your business sabotaging its security?

Cyberattacks and awareness of cybersecurity are on the rise in many companies, so it’s crucial to ensure businesses take proactive steps to enhance overall security.

Even as more businesses move workloads to the cloud, “the threat landscape in cybersecurity is constantly evolving, requiring continuous reassessment of a company’s position and attitudes” explains Stephan Pieterse, platform engineer at BBD, a trusted international software solutions provider; “In fact, there are some pervasive attitudes that may no longer serve a business’s cybersecurity goals effectively”. Below, we delve into 5 common assumptions that may be leading companies to undermine their own protection.

1. Underestimating the risk: “We aren’t interesting, so we won’t be hacked” is a dangerous assumption

While a business may believe they aren’t an attractive target, attackers may not share that perspective, explains Pieterse. Bots and worms don’t differentiate targets based on interest; they exploit vulnerabilities indiscriminately. Even if a business isn’t a direct target, their network or machines can be used as a steppingstone for more significant attacks, such as spear-phishing or gaining access to trusted networks. Moreover, their compromised systems could be used in botnets for DDoS attacks or unauthorised cryptocurrency mining. Additionally, a breach, regardless of the extent of data exposure, can damage their reputation, eroding user trust and investor confidence. It’s essential for businesses to understand the potential consequences and take proactive measures to protect their assets.

2. The flawed approach: “We’ll allow everything by default” puts a company at risk

Adopting a permissive approach to security, where everything is allowed by default and only malicious activities are blocked, is the opposite of the least-privilege principle. This approach places an unreasonable burden on security teams and increases the risk of oversight. It’s unrealistic to expect the firewall team to be aware of every “bad” website or domain on the internet. Attackers often utilise services like Cloudflare to obfuscate their activities, making them harder to identify and block. Similarly, maintaining a comprehensive list of known bad executable files is impractical, considering the constant emergence of new malware and refined obfuscation and anti-virus bypass techniques. Instead, businesses should focus on building robust systems and processes that allow compliant and frictionless usage of necessary services while maintaining security controls.

3. False sense of security: Relying on a single product or configuration is insufficient

While having cutting-edge security tools is crucial, relying solely on a single product or configuration creates vulnerabilities. “The best firewall in the world won’t prevent an attack if someone already has access to the internal network” says Pieterse. Comprehensive security requires a layered approach, leveraging multiple tools and techniques to provide defence in depth. It’s important to understand the limitations of each tool and regularly reassess their effectiveness. Vulnerabilities may emerge in specific tools over time, or they may fail to keep up with the latest threats. Implementing security measures across different zones in an organisation mitigates the impact of any single security flaw.

4. Prioritising security: “We need to focus on delivery” can lead to costly consequences

Postponing security measures until later in the development process can have severe repercussions. If a business lacks the time to secure their application, do they have the resources to identify and respond to breaches effectively? Development phases are typically the most cost-effective time to implement changes and test applications thoroughly. It’s crucial to prioritise security during development rather than leaving it as an afterthought. Exploits often target public-facing production systems, making them high-risk areas. Addressing security issues in production can be more expensive and time-consuming, leaving a company exposed for an extended period. By integrating good development practices and employing basic testing tools, many issues can be detected and resolved before reaching production, safeguarding user data and maintaining service availability. “In all of our projects,” adds Pieterse; “BBD really looks to embedding security as a vital layer throughout the development process”.

5. Strategic training: “We need to train all our users” isn’t the ultimate solution

While it’s important for a business’s employees to be aware of cybersecurity risks, relying solely on user training as a solution is inadequate. Implementing technical controls tailored to an organisation is more effective. Businesses should consider blocking or removing email attachments altogether if they are unnecessary for business operations. Training users to identify suspicious emails and attachments is beneficial, but it’s even more secure if they never receive potentially malicious content. By centralising security controls, a business can efficiently update and adapt measures as new threats emerge. This approach is more cost-effective than providing additional training to all employees and allows them to focus on their primary roles while reducing security risks. Combining this strategy with limited egress traffic and strict allow lists further enhances an organisation’s security posture.

“By challenging outdated attitudes and conventions, we can better secure our companies and systems, reversing the trend of increasing compromises and safeguarding valuable assets. Not only do we ensure our solutions are secure based on best practice,” says Pieterse, “but, in cases where regulators have requirements that must be met, we leverage our in-depth and intrinsic understanding of various sector landscapes to ensure such regulations are met, and that security measures of the highest quality are in place”. Looking for a secure software solution, or to ensure your current environment is up to speed with security? Chat to us.