Welcome back to Cybersecurity as an Iceberg. Last time in part two, we went over Insider Threats, Lack of Security Awareness Training, and Missing Policies. Today, we will discuss the last three hidden cybersecurity threats: Ineffective Security Controls, Missing Security Controls, and Unaddressed Asset Vulnerabilities.
Ineffective Security Controls
Cybersecurity controls detect, prevent, reduce, or counteract security risks such as damage to sensitive information or other assets. Companies use security controls to protect and detect any breaches or attempted breaches with software and technology that analyzes their network. Security controls include having various levels of security within the system as well as complying with security policies and guidelines.
There are three types of security controls: preventative controls, detective controls, and corrective controls.
Preventative controls are put in place prior to a security breach. It stops a security breach from occurring. A common example is having a password. However, oftentimes, passwords that are used can be easily cracked, especially if there is not a guideline on what to include in the password. Back in 2020, Nordpass revealed the Top 20 Most Common Passwords of 2020.
All the passwords on the list are easily hackable. Therefore, it is crucial for preventative measures like passwords to have a specific guideline such as having at least one uppercase and lowercase letter, one special character (ie. !, ?, @), and does not have sequential numbers (ie. 1234). Additionally, the recommended password length is sixteen (16) characters.
Another preventative control you can put in place is by using Multifactor Authentication (MFA) which requires users to use a password and another form of authentication. This helps improve account security and prevent fraudulent access to your account.
Detective controls are active when the hacker is actively working against your system. It identifies and characterizes the incident. The public key certificate mentioned in our previous blog is both a preventative and detective control. It re-encrypts the data and detects for any attempt to breach the company’s data.
Equifax’s security breach is a prime example of having ineffective (and missing) security controls. By failing to renew their third-party public key certificate, Equifax lacked a crucial security control that protected their sensitive information.
Corrective controls are completed after the incident as an attempt to minimize the damage caused by a data breach or failure to comply with cybersecurity laws. These include incident response plan. If a data breach includes consumer information, the entire company needs to work to minimize the damage.
Public relations (PR) will need to inform the public as soon as possible, while ensuring the company’s reputation will not severely decline. To ensure your incident response plan will go smoothly, practice and review the procedures. After all, as Mike Tyson said, “Everybody’s got plans… until they get hit.”
To ensure all your security controls in place are effective, make sure your company and employees are properly following the security policies put in place. To emphasize the importance of the security policies, practice and review your security policies with your employees.
After your corrective controls, evaluate the safety of your company’s cybersecurity. Use that time to determine to start more preventative measures and evaluate the effectiveness of the security control.
Missing Security Controls
As mentioned Earlier, Equifax lacked a security control – their public key certificate – which resulted in their security breach. In the case of Equifax, put in another security control (or policy) that will require the company to create a management lifecycle. This will require employees to look over security related certifications and partnerships.
With a management lifecycle, your corporation will have scheduled times to update any software or hardware, which will help patch up and minimize holes within your company’s security perimeter. Apply antivirus solutions to detect malware and implement a firewall. Regularly update these solutions to ensure any security holes in previous versions are fixed.
Many of these security controls are commonly used by companies. However, there are also times when companies simply are unaware of a security control that would help protect their sensitive information. As such, this once again emphasizes the importance of security awareness training. Protect your network information on all levels of the organizations.
Penetration testing is also a great method for security controls. This will help determine if your company’s security measures are sufficient to protect your information. Penetration testing allows you to see where your security needs improvement and what other security controls would be helpful to better protect your company’s network.
Unaddressed Asset Vulnerabilities
Oftentimes, the company neglects the protect certain assets that later serve as a vulnerability. For example, an insecure connection serves as a vulnerability that will allow hackers to enter your network. Hackers will be able to access critical assets such as data and personal information if there are no security controls in place to protect the asset.
Updating software is also an important asset to consider. By not updating your technology to its most recent state, your company’s software will lack the add-ons that help secure your network. Taking care of your employees is also important when considering asset vulnerabilities. Companies often consider employees as the one working within the corporation. However, as seen under insider threats, employees are also a potential cybersecurity threat – both unintentional and intentional.
Humans naturally make mistake, so another vulnerability is caused by human error – whether it is looking through the information to mistakes or unintentionally opening a phishing email. As such, implementing technology that will filter through phishing and spam emails will help negate human errors. However, again, it is best to inform and train your employees in security awareness.
Your company’s physical location also needs some security controls in place to avoid infiltration from hackers who disguise themselves as service employees – such as a janitor. Have verification steps that will protect your company’s critical locations with the corporation’s technology such as laptops, computers, and servers.
Below the Surface
Like an iceberg, many cybersecurity risks hide below the surface. Look at the bottom of the iceberg and mitigate your cybersecurity threats before it is too late.
If you found this blog useful, please share with others: