Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

12 Common Cybersecurity Mistakes and How to Help Avoid Them

While it may not constitute end times for a business, an incident that can result in stolen data, diminished customer confidence, reputational harm, compliance penalties and legal fees isn't exactly a drop in the bucket either.

A study last fall found that the average data breach costs victim companies $15.4 million, up 19 percent year over year. Nobody in good faith wants to cost their company money because of a compromise, CEOs included.

Look, we all do dumb things. The key is learning from them and not making them habits. Because, as you know, the definition of insanity is doing the same thing over and over again - and expecting a different result.

Here is a list, in no particular order, of 12 cybersecurity mistakes you should avoid making in the current era of modern cybercrime. If something is missing from the list that you think should be on it, please drop us a note in the comments.

1) Failing to Map Where Data Flows and Lives

It can't be said enough: Your data is your company's lifeblood. Assessing and charting where that data flows (especially if it's going outside of your organization), with whom it's shared and where it lives at rest is paramount to knowing what you need to protect. When challenged with being right all the time - and the attackers typically needing to be correct just once - visibility is everything.

2) Neglecting Security Testing 

Vulnerabilities reside across your databases, network and applications - and now also extend to devices like mobile and Internet of Things. These require regular testing through both automated vulnerability scanning and deep-dive penetration testing. Remember: Test, don't guess.

3) Concentrating Too Much on the Perimeter

Prevention is not exactly an anachronism, but considering how advanced threats have become, attackers will inevitably make it through your border defenses. And once they're inside, they will look to acquire privileges that will camouflage them as trusted users. They may evade you for a long time, unless you have strong visibility and an actionable understanding of indicators of compromise.

4) Blanking on the Basics

Oftentimes, it's the simple things that will get you. To avoid having that "Doh!" moment, make sure all of your staff uses strong passwords (passphrases are preferred) and are following the principle of least privilege, and all of your network components are properly segmented to minimize access to confidential data, adequately configured to avoid undesirable changes, and up to date with the latest patches. 

5) Disregarding Security Awareness Training

You're likely familiar with the campaign "If you see something, say something." Just as in the physical world, security enforcers rely on the population at large to stop attacks at their source - or at least make them aware of malicious attempts. Train your staff in everything from laptop protection to social engineering identification. And don't forget to retrain because the scams continue to get sneakier.

6) Ignoring Security Monitoring

If you're like most businesses, you don't have the budget to stand up your own security operations center. But that doesn't relieve you from needing around-the-clock monitoring and intelligence that will help you investigate automated alerts, hunt for threats, escalate serious incidents and minimize attacks.

7) Resisting Vendor Risk Assessments

Some of the most ignominious breaches of late were caused by attackers first infiltrating one of the victim company's vendors. You must have a plan in place with the third-party entities to which you outsource to ensure that they are taking security and risk as seriously as you are.

8) Overlooking "Shadow IT"

Your endpoints are like ivy - growing mightily and quickly getting out of control. The good ol' days of only needing to concern yourself with desktop and laptop computers are long gone. Your employees are now accessing so-called shadow applications and devices that are not supported by IT. If you can't stop it, at least don't be blind to it. First profile your risk, then institute controls.

9) Thinking it's Just About Malware

Malware is still a critical part of attackers establishing their initial foothold. But once inside, they often use different strategies to laterally advance across your network. In many cases, that means flying under the radar by using legitimate administrator or ethical hacking tools to harvest sensitive data and detect vulnerabilities.

10) Believing a Breach Won't Happen to You

Perhaps you're still holding out hope that cybercriminals will show you mercy and pass over your business, but the reality is that companies of any size are targets. Preparing your defenses to also include response will help you react faster and minimize the fallout if - or more likely, when - your day comes.

11) Dismissing Your Bosses and the Boardroom

Security maturity is the holy grail of any InfoSec professional's job objectives. In instances where businesses have reached high levels of maturity, security is ingrained in the culture, from the corner offices on down. Obtaining boss- and board-level support may be uncomfortable, but in today's climate, it is imperative.

12) Trying to Do It All On Your Own

The cybersecurity skills shortage is no joke. Estimates place the worldwide shortage at one million positions and growing. Whether you're a small business that lacks any security skills at all, or a larger outfit that needs help enhancing certain areas like penetration testing, security monitoring or incident response, doing more with less just isn't going to work.

Partnering with a managed security services provider like Trustwave is a viable option. And such an arrangement doesn't have to result in reduced headcount either - it just means you and your team can instead focus on and expedite IT projects that will have real effect on the top line of your business, while leaving security responsibilities to someone else with deep expertise and scale. This can actually result in elevated job security for your IT staff and fewer worries over losing a skilled in-house security staffer due to the industry's notoriously high turnover.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More