The Top 5 Cyber Security Mistakes Companies Make and How to Fix Them
This week, a survey of IT executives representing a wide range of businesses and healthcare organizations cited an IT talent shortage as a critical factor behind “mistakes” they made when it came to cyberattacks. Not enough experienced hands guarding the gates.
The survey is part of a report issued jointly by the Information Systems Security Association and Enterprise Strategy Group. According to the report, here are the top five cyber security mistakes companies make, along with key steps MCPc recommends businesses can take to address them.
1. Not aligning cyber security and business goals. Add concrete goals and identifying set metrics for both IT and business management.
Consulting a chief information security officer (CISO) to understand where, and how, to sure up your business is a great place to start. CISCO services can help your organization to better understand your security challenges by performing cyber assessments, developing cyber roadmaps, and helping convey a balanced security vision to operations and executive leadership.
2. Not building repeatable processes. According to respondents, one of the top two cyber security challengesis having too many manual and informal processes for cyber security.
A crucial first step for a security team is to establish a security baseline with standardized policies. The number of businesses that neglect this basic cyber hygiene is startling. In addition to the security baseline, policies customized to industry, or company specific business practices, including, data regulation, incident response, data classification, and BYOD (bring your own device) need to be established and maintained.
3. Not investing in training. Despite increased investments in cyber security, respondents do not believe organizations are allocating their cyber security budgets effectively.
We suggest organizations invest more in cyber security training at all levels — from non-technical employees to executive management. Providing intelligent, well structured, assessments that educate the people in your organization controls one of the strongest tools cyber criminals have, ignorance. An educated workforce is crucial to maintaining the security policies a business has established. Robust cyber security requires more than great tools, it requires employees that are cyber aware.
4. Not providing the right training. Respondents often turned to courses and professional development organizations for cyber security training that didn't necessarily fit their business.
Organizations should employ more custom programs to ensure their employees' cyber skills are up to date. Understanding who to train, how to train them, and how often to train them is difficult. Getting the perspective of a CISO to evaluate your staffing, identify the members that require training, and recommend partners to develop relevant training manages this potential disconnect.
5. Not assuming a perpetual skills shortage in future planning and strategy. Respondents identified understaffing as the number one cyber security challenge facing their organization.
Identify cyber staffing needs, defining the requirements for needed positions, and finding the right talent requires specialized knowledge of cyber security and current cyber security training. Once the need is identified, filling cyber positions is difficult. Working with a vast network of recruiters is key to finding qualified candidates. However, an expert evaluation of the talent is essential to identifying the right resource.
MCPc’s response to the IT talent shortage can be seen in our investment in Mercyhurst University as well as technology internships and scholarships we provide at several colleges in and around Northeast Ohio, Pennsylvania and Michigan. Filling this gap is our priority.
Our commitment to cyber education exists at the corporate level, too. Last May, MCPc hosted a comprehensive training program for our clients' employees that were identified by our CISO as key cyber stakeholders. MCPc maintains a relationship with clients who participated to ensure their security posture is maintained. We do this by periodically auditing security procedures and by providing continuing education and guidance to their staff.