You don’t have to look far to find news of a major data breach these days. It seems as though cyber security is a term sitting front and center on many minds while malicious attacks continue to damage companies and corporations.
But the consequences of cyber attacks don’t only affect corporate bottom lines. Lax cyber security affects all of us. The Colonial Pipeline breach in May 2021 resulted in higher gasoline prices, panic buying and local shortages after the company’s pipelines were shut down by payment-seeking hackers.
Despite the potential for disastrous results, some organizations are still struggling to treat cyber security like a business-ending, bottom-line financial threat. And the companies who do want to ante up still find it hard to keep up with the speed of cybercrime.
So, what keeps information security pros and business leaders up at night? To get a better picture of the threats in the cyber landscape, we asked professionals in cyber security to share some of the most common cyber security problems they see.
The top cyber security problems organizations are facing
Cyber security problems can range from things as granular as out-of-date software to large-scale struggles like a lack of support from leadership teams. The following is a sampling of the most common issues facing information security professionals and the organizations they serve.
1. Recognizing that you are a target
Small organizations don’t always realize that their assets and data are still attractive to cyber criminals. “In our modern economy, most companies have things that attackers want—information and money, says Matthew Eshleman, CTO of Community IT Innovators®. “Cyber threats face organizations of every size.”
A basic grasp of cyber security best practices would be a huge step in the right direction for many companies, says Kevin Raske, cyber security marketing specialist at Vipre®. “It means being constantly aware that you are a target. The majority of breaches occur because of human error.” Acknowledging that attackers might come after your company is step number one to developing a defense.
2. Failure to inform employees of threats
Steve Tcherchian, CISO and chief product officer at XYPRO, notes the weakest link in any cybersecurity program is often the employees.
“You can spend all the money you want on antivirus, intrusion detection, next-generation filters and other technologies, but all this technology will be nearly useless if you don't focus on educating your staff first,” says Tcherchian. “If your staff is not aware of these scams and how to identify them, you're still vulnerable.”
Organizations should think of their employees as the first line of defense when it comes to basic threats like phishing and malware.
“Identify your most at-risk users and empower them with the knowledge and awareness to identify these scams early on,” Tcherchian advises. “Employee awareness cannot be a ‘set it and forget it’-type approach. Continuous reinforcement and testing are key.”
Ron Harris, vice president of Omega Computer Services, says that remote work has worsened this issue.
“This may have been many people’s first time working from home,” Harris says. “Many simply do not know how to stay safe and prevent cyber attacks like ransomware. They don’t have someone next to them at the office to ask if the email they just received is legitimate or if this website looks safe to download a file from.”
Harris suggests that companies make it clear to employees that it’s always okay to forward a suspicious email to the IT department.
“It may seem annoying to do so, but this could prevent ransomware, or another cyber attack from taking place,” Harris says.
3. Data breaches due to remote work
With more people working from home and other locations not within the office, there is a greater chance of breaches from hackers—due to what Magda Chelly, founder of Responsible Cyber, calls “a perimeter-less environment.” Connections to other networks, with non-approved devices, can happen in these situations.
“The technology in place does not have the same security measures and controls provided by enterprise-level security,” Chelly says. “The perimeter-less concept pushed further zero-trust strategies within companies, encouraging cyber security professionals to define their priorities on a zero-trust philosophy—not trusting anything or anyone until proven otherwise.”
Zero Trust strategies require all users, at any level, to be continually validated and authorized before gaining access to key areas of the network. Many organizations already employ this strategy, and the White House is also committed to these principles as outlined in a recent Executive Order.
Tcherchian predicts a shift away from relying on VPNs, or virtual private networks.
“VPN relies on a perimeter methodology, meaning once the user and/or device are authenticated at the perimeter, they typically have unfettered access to the network,” Tcherchian explains. “Attackers love this. Once they're in, they can spend as much time as they need to move around from device to device.”
One misuse of VPN credentials can result in an attacker gaining access to thousands of devices throughout an organization.
“Several recent mega breaches can be attributed to this, where a contractor or vendor's VPN credentials get compromised and the attacker has access to everything the contractor did,” Tcherchian continues. “This is no longer a sustainable security strategy. Moving to a Zero Trust model removes that layer of perimeter security.”
Multifactor authentication (MFA) and two-factor authentication are examples of simple ways to add protective barriers from malicious hackers.
4. Ransomware attacks
Ransomware is a type of malware that can encrypt files on a device, making them inaccessible or unusable. Once the files are corrupted, the attackers then demand a “ransom” in exchange for decryption. At times, the attacker will threaten to expose or sell the information should the ransom, which is usually demanded in cryptocurrency, not be paid.
“Ransomware continues to be a significant threat that organizations need to be aware of, with an attack now happening about every 11 seconds,” says Ian L. Paterson, CEO of Plurilock. “Credential compromise or employees sharing or misusing credentials is another threat that companies need to be on the lookout for.”
Shane Sloan, program manager at Mobile Mentor says that compromised credentials are continuing problem.
“Multifactor authentication has still not fully permeated businesses globally,” Sloan says. “The challenge is both a human one and a technological one.”
5. Missing security patches
“Out of the 100-plus vulnerability assessments that I have run for various organizations, there are always security patches missing from their equipment—typically user workstations and laptops,” says Courtney Jackson, CEO and cyber security expert at Paragon Cyber Solutions LLC.
“It may seem like a small issue, but it isn’t,” Jackson says. “The security patches are published to address identified vulnerabilities. Delaying the installation of new security patches puts organizations’ assets at risk.”
6. Bring Your Own Device (BYOD) threats
Again, the disruption caused by COVID-19 has intensified the security issues in BYOD threats.
Bring your own device policies are popular in many companies, according to Andrew Douthwaite, CTO at VirtualArmour. BYOD lets employees use their own machines for work in office or remotely to make things easier.
“But many business leaders don’t appreciate the unique threats that a BYOD environment can invite into their organizations,” Douthwaite says.
“A few common-sense steps can better protect business networks from threats related to BYOD.” Some of these measures could be role-based access, enabling two-factor authentication and enacting network access controls to ensure all devices are continuously updated. Douthwaite says requiring strong employee passwords and having an exit process to clear ex-employee devices of company data should also be a must.
7. Losing sight of the ‘backup plan’
“Most companies don’t see backups as part of their cyber security initiative,” says Marius Nel, CEO of 360 Smart Networks. He explains that people often rely on systems or services to keep their data protected and forget to consistently back up their data as a fail-safe. “The system should be built in [a] way that assumes all other services will eventually fail and backups will be required,” Nel says.
The failure to back up as a safeguard from these attacks doesn’t just affect companies and organizations, either. Take the 2019 Baltimore City ransomware attack, Hamid says. “The city confirmed that not all of the mission-critical data was backed up. Without paying the ransom or the ability to decrypt, the data is gone forever. Incremental offsite backup is so important, yet often overlooked.”
8. Lack of a corporate security program
“One surprisingly prevalent issue that companies face when it comes to security is their lack of a formal corporate security program,” Jackson says. “Every company, no matter the size, should have a corporate security policy outlining acceptable use, incident response, physical security and at least a dozen more areas.”
She says this proactive approach to cyber security is the missing ingredient with many businesses. “I wish the average business executive understood that not having an effective cyber security program in place within their business puts them at great risk of an attack or data breach.”
9. Treating cyber security like an IT issue instead of a financial issue
Many business leaders still treat cyber security like an IT issue, when these days, it’s really about the bottom line. “At its core, cyber security attacks are a financial issue,” Douthwaite says. “Data shows that the average cost of a data breach is about $4 million.”
Nel says they’ve learned that companies with strong cyber security treat it as a “way of life,” mixing it into every part of the business. “In essence, it is a business risk mitigation exercise that requires strategic thinking and ongoing tactical actions.”
This requires employee training. Nel says training end users in basic cyber security is the most effective and cheapest way to protect an organization.
10. Lack of information security representation on the board
Many companies have very robust policies and procedures for their business processes, according to Braden Perry, cyber security attorney with Kennyhertz Perry, LLC. “That is something sophisticated board members can understand. But IT is a different language for a businessperson, and unfortunately, most board members ignore or defer these issues.”
Perry says even a business IT department with an amazing, proactive plan for information security might never get the resources and backing they need since board members don’t understand cyber threats.
“It’s becoming more important, and almost imperative, that a board has an experienced IT or cyber security liaison to translate the IT language into business and vice versa,” Perry says He adds that when he is hired to investigate a problem, it’s usually an issue the business could have resolved on its own if it had better communications between the IT department and senior leadership.
The need to stay on top of cyber security
Unfortunately, very little can be solved long-term by a single program. Anyone engaging in cyber security needs the funding and time to stay on top of industry changes.
But as several of our experts have noted, great cyber security professionals are in short supply. While that’s an uneasy fact for those running businesses, it could also be a boon for those who’ve dedicated themselves to this field. If reading this list hooked your interest—you could be just the kind of candidate they’re looking for.
Learn more about the qualities you’ll need to succeed in the field in our article “8 Signs You’re Wired for Working in a Cyber Security Career.”
Community IT Innovators is a registered trademark of Community Services Group, LLC.
Vipre is a registered trademark of ThreatTrack Security, Inc.
EDITOR'S NOTE: This article was originally published in 2019 but has since been updated to reflect information relevant to 2022.