They say that hindsight is 20/20. Experience isn’t usually gained until it’s too late. The good news is, with the information you gain through experience with IT and security, you can choose to make positive changes and keep negative occurrences from repeating.
Looking Back at 2019
2019 was a telling year for security incidents and data breaches. Such trends showed us that many organizations, even the big corporations we assume are the most resilient, have inadequate security programs. A disconnect clearly exists between organizations knowing where they need to be with security versus where they actually stand.
In 2019, there were a handful of security vulnerabilities that kept resurfacing. The common issues that caused security gaps and contributed to headline-making incidents were:
- Missing patches in operating systems and third-party software that facilitated remote system access and malware infections.
- Weak authentication involving easy-to-guess passwords and a lack of multifactor authentication, facilitating unauthorized access that can easily go unnoticed.
- Gullible users who received inadequate check-the-box security training (or none at all) left to make security decisions on behalf of IT.
- Open network shares that exposed sensitive files on workstations and servers, including personally identifiable information (PII) such as health and financial records, as well as intellectual property like source code.
- Lack of visibility and control due to the absence of core technologies that enforce security standards and policies, plus an overreliance on the “latest and greatest” technologies that creates a false sense of security.
- Inadequate or missing incident response procedures, including how to recover from ransomware, talk to the press and use cyber insurance policies as a last resort (if such a policy exists).
If any of these issues sound familiar, it’s because they are the same pervasive issues that many organizations have been struggling with for decades. In fact, James Martin’s book “Security, Accuracy, and Privacy in Computer Systems” outlines similar security gaps in business when the book was written, nearly five decades ago!
One of the most important business principles that security professionals can learn and implement is the 80/20 rule, otherwise known as the Pareto principle — 20% of the business risks impact 80% of the results. Regardless of the year (or even decade), the core security challenges will always include those repeat offenders I mentioned earlier. Ignoring this reality is what facilitated the incidents and breaches we heard about in 2019, and that will likely never change.
Success in security is not automatic. If you’re going to resolve these issues and keep them from reoccurring in 2020, it’s going to take discipline on your part, your colleagues’ in IT and security, and your management team’s. This means focusing your efforts on the highest payoff tasks, rather than jumping on bandwagons to procure new technologies that won’t help; more a distraction than anything else.
Threats will always be there. Vulnerabilities both old and new will continue to arise, resulting in tangible risks, unless all the right people are on board with what must be done to keep things in check. It all starts with you.