In recent years, many business and IT decision-makers have established a track record of questionable decision-making when it comes to organizational cybersecurity, from not properly segmenting networks, to not deactivating unused accounts (or protecting them with multi-factor authentication) to not implementing proper password security controls and more. As a result, organizations were victimized by costly and destructive data breaches and ransomware attacks, replete with corresponding business disruptions, public relations nightmares, and compliance and legal problems.
Why do so many organizations make poor decisions about cybersecurity? One reason, as put forth in a recent Gartner blog, is that decisions about cybersecurity aren’t being made in the same fashion as other business decisions. Non-technical members of the C-suite frequently treat cybersecurity like a vending machine. Insert money into the machine, security tools come out, and the organization is allegedly secured. Problem is, there’s no systematic analysis of why these purchases are being made (or not being made), other than “security.” When the organization is inevitably breached, the reaction is to spend more money on new tools, replace the security staff, or both – again, with no systematic analysis of why these steps are being taken.
Improving cybersecurity decision-making requires a shift in mindset, and this includes recognizing some hard truths. Here are three major ones, along with how to address them.
1. There is no “magic technology” that will prevent all cyberattacks.
Proper cybersecurity defenses and controls significantly reduce your organization’s risk of being breached. For example, weak, stolen or compromised credentials are responsible for over 80% of successful data breaches and about 75% of ransomware attacks. While securing employee login credentials won’t guarantee that your organization won’t be breached, it will make it far less likely.
2. Financially starving your cybersecurity program doesn’t work – but neither does throwing money at it haphazardly
In 2020, research conducted by Ponemon, and commissioned by Keeper Security, found that less than half (45%) of global IT decision-makers feel that their organizations’ IT security budget is adequate for managing and mitigating the cybersecurity risks caused by remote work. Two years later, four out of five organizations plan to increase their cybersecurity budgets. That’s a good thing, right?
In discovery sessions with prospective customers, we’ve frequently observed organizations blindly spending money on “magic technology” or on the wrong things that don’t reduce cyber risk. Sound decision-making is rooted in proper cybersecurity planning.
Before purchasing software or hiring more IT security staff, ask yourself what your organization is trying to accomplish from a security perspective. Make sure you create a plan that covers four primary pillars: Prevention, Detection, Remediation and Response. With this, you’ll be able to adequately address gaps and questions. How will you achieve Enterprise-wide visibility, security and control covering every user on every device – across all of your organization’s websites, applications and systems? Do you need to secure user credentials? Tackle secrets sprawl? Fill SSO security gaps? Get a handle on privileged access management?
3. Sacrificing security at the altar of usability isn’t wise, but neither is the opposite.
When the COVID-19 pandemic forced organizations to enable remote work on a massive scale, and do so suddenly and virtually overnight, security frequently took a backseat to user access and productivity. The result was a massive surge in cyberattacks as threat actors took advantage of the perfect storm of confusion and lax security protocols.
At the same time, implementing security tools that are time-consuming and difficult for IT staff to maintain, and for end users to use, degrades both productivity and security. If a security tool is too hard for employees to use, they’ll seek ways to bypass it, not because they don’t care about security but because human behavior favors convenience. A research paper by professors at Dartmouth, USC and Penn, appropriately titled Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient? examined and illuminated this problem in detail.
By focusing on cybersecurity outcomes instead of “magic technology,” and realizing that security is about pervasive and strategic risk reduction, organizations can dramatically reduce their cyber risk while maintaining usability and productivity.
Keeper’s zero-trust and zero-knowledge password management and cybersecurity platform provides organizations with total visibility and control over employee password practices they need to successfully defend against the most common attacks. IT administrators can secure, monitor and control passwords and secrets use across the entire organization, both remote and on-prem, and set up and enforce 2FA, RBAC and least-privilege access.