6 common cybersecurity mistakes made by IT leaders
Updated at: Oct 11, 2019
IT staff is generally responsible for keeping the organization safe and secure. That is, free of threats and breaches. However, as with every job, mistakes are common and may even come from supervisors and IT leaders. Typically, when we talk about cybersecurity, IT leaders’ mistakes are simple to remedy and occur from lack of knowledge, insufficient concern about information security, or overloading due to the accumulation of tasks.
The first, most basic mistake won't be listed here as a single item because it's not the sole responsibility of an IT leader. But it's the fact that many companies are reluctant to invest in cybersecurity solutions. That means they're more vulnerable to attacks and threats. And as we all know, a security breach can cause huge and varied damage, from an entire system shutdown due to a ransomware infection to a wire transfer as a result of a spear phishing scam.
Now let's go to our list of the most common mistakes when it comes to cybersecurity.
Mistakes made by IT managers when it comes to cybersecurity
1. Not creating a broad incident response plan
An incident response (IR) plan is basically a manual to guide the company's actions in the event of a cyber attack or data breach. This way it's possible to reduce damage and financial loss caused by incidents.
Therefore, it's essential that IT leaders have an organization-wide cybersecurity emergency response plan. Nonetheless, a study from the Ponemon Institute sponsored by IBM, with more than 3,600 IT professionals, shows that 77% of them don't have a consistent IR plan across the organization.
The main consequence of this flaw is that, in cases of cyber emergencies, it's difficult for the company to have an adequate response in all sectors. This makes it difficult for the team to work to solve the problem and prolongs the response and containment period, bringing even more damage.
So if your business doesn't have an incident response plan yet, it's time to start one. Remember that it must include different company areas, always taking into consideration the priorities and the most critical sectors of the business. To learn more, check out the tips we wrote in this post: 6 steps to build an incident response plan.
2. Not investing in systems visibility and monitoring
Lack of visibility of organization systems can be a huge problem in IT environments, especially when it comes to security. So even with a tight budget, the IT leader needs to have visibility and control over what happens within the business. It's important to have a global view, mapping and controlling critical and vulnerable points of the systems, and being aware of the data and information that is essential for the organization.
There are different monitoring tools and software depending on the types of systems used by the company. An email protection solution, for example, can give you the visibility you need to analyze and e valuate message traffic. Visibility is also important so that, in cases of intrusion, the threat is detected and eliminated more quickly.
3. Not performing cybersecurity training
Another very common mistake when it comes to cybersecurity is not conducting training for company employees. Remember that human failure is still responsible for the success of many attacks, such as when an employee falls for a phishing scam and clicks on a malicious link. So don't be fooled. Even when the IT team is prepared for a threat, that doesn't mean the rest of the company is too.
It's recommended to promote frequent training with every department of the business, allowing even the most basic flaws and doubts to be addressed. Topics should cover everything that's important to increase security. For example: the importance of using strong passwords and changing them constantly; the need to keep systems always up to date; the need to recognize the most common scams; and even the walkthrough of how and to whom should an employee report any suspicions or incident cases.
Trained employees help keep the business safe and running. Therefore, invest in training. In times of targeted attacks and social engineering, training can make a big difference.
4. Not setting permissions and access levels
We've talked a lot here on the blog about how important it is to consider human failure when preventing cyber attacks. That's why it's important to know what employees access and what kind of information they handle, and to ensure that the company's security policies are followed. This is true for both website and social network access as well as for company systems, including email.
After all, email is still the main threat vector. For example, a Verizon report shows that 94% of malware attacks occur via email. It's a number high enough to make it critical to have visibility over incoming and outgoing emails. So that, for example, you can set focused and effective safety and training policies.
5. Not doing security testing
Yes, it's essential that the systems and tools used by the company are always tested. First, because security testing will help the IT leader understand the most vulnerable points within the company. Second, because testing can validate processes. For example, is the incident response plan working in practice the same way it is on paper? There are software and products that can help you with these security tests, as well as some specialized companies, which is usually a good investment.
6. Forgetting the basics: strong passwords, updated systems, and backup
Focused on protecting the business from more dangerous threats, such as ransomware and trojan, IT leaders can often forget the basics.
Company systems must have strong passwords that must be changed frequently. Employees must also be reminded to use strong passwords and to update them frequently. In addition, systems must, of course, always be up to date to ensure protection against newly discovered bugs and vulnerabilities. Finally, having a working disaster recovery plan is critical. That is, a backup plan. But it's essential that it works, ok?
Questions or suggestions
If you have any questions, please drop us a message: firstname.lastname@example.org. We would also love to hear from you. Maybe we're forgetting some topic that you consider important when talking about cybersecurity mistakes. In this case, write to us.