Corporate resistance – the unspoken IT security risk

By Dave Shephard, Bitglass Australia

Credit: ID 114067589 © Flavijus |

Despite global awareness of the need to improve security practices, organisations remain reluctant to make the changes to their IT environments that would help them to respond more effectively to today’s threats.

Even when security depends on relatively simple activities such as installing the latest software updates on endpoint devices, some companies still fail to find the time and energy to perform them.

Organisations fail to take the steps needed for ensuring proper IT security for a variety of reasons. These are outlined below, with tips for overcoming organisational resistance to achieving comprehensive cyber security.

1.  Resources: While companies often see an obvious bottom-line benefit to general IT investment, the ‘insurance’ mindset needed for IT security means they also need to invest in the proper tools and technologies that can protect against modern threats.

This is especially important in light of the mass adoption of cloud technologies and services. Many organisations have made major investments into on-premises infrastructure, which can make them reluctant to spend more funds on additional (but necessary) security solutions designed for the cloud.

2.  Expertise: One of the single biggest challenges for any company looking to bolster its security posture and expertise is recruitment. There is a dearth of qualified personnel on today’s global jobs market. According to (ISC)² research, 2.93 million IT security roles are unfilled globally.

3.  Denial: Unfortunately, many organisations believe they are unlikely to be a target for hackers and need to worry less than others about cyber security. In part, this stems from a misconception that larger or better known organisations are more likely to be attacked. However, hackers are likely to target any company that is poorly secured or handles sensitive data – irrespective of their size and status.

4. Inertia: Many organisations have a parochial view of cyber security. As a result, they may underestimate the urgency of the need to adopt relevant security tools and practices – particularly in the cloud. While on-premises tools and best practices are necessary in the vast majority of organisations, the assumption that they translate perfectly to cloud and bring-your-own-device (BYOD) environments can be dangerous.

Organisations don’t typically find themselves falling victim to security breaches because adequate protections are unattainable. Solutions to vulnerabilities and highly niche security needs certainly exist. As such, organisations need to address a few fundamental areas. Best practice approaches include:

1. Find top security talent: Despite the challenges of finding experienced security professionals in the midst of a skills shortage, it’s an effort well worth making. Whether organisations conduct strategic recruitment, upskill or cross-skill existing team members, or work with external providers, there is no substitute for hands-on cyber security expertise.

2. Do the basics: At the very least, every business should install all the necessary software updates and patches as soon as they become available – across all of their employees’ devices. This most basic of steps can close existing security gaps and help reduce the likelihood of a breach.

3. Employee education: One of the best methods of improving security is to adopt a ‘security-first’ mentality across the entire organisation. This starts at the top, with organisational leadership setting a high bar for everyone. By conducting regular trainings on topics such as how to spot phishing emails and how to share data securely, companies can significantly reduce the likelihood of a breach. 

4. Understand weaknesses: Organisations need to be aware of their vulnerabilities in advance – learning about them via a data breach can be the most expensive way to stress-test a security strategy. For those companies that leverage infrastructure-as-a-service platforms, for example, this involves using tools that proactively identify and address misconfigurations in cloud environments that can expose data.

5. Don’t be blindsided by new tech: Many managers will enthusiastically adopt any new technology or method of work, such as cloud services and BYOD, to improve productivity. Unfortunately this often happens before an employer has sanctioned the adoption, let alone updated the security policy. It is much safer for employers to get ahead of the curve and enable such of technologies responsibly and securely, rather than scramble once they’ve already found their way into an organisation. 

6. Buy the best security tools: In every business, certain tools are considered essential for adequate cloud security. These can include data loss prevention (DLP), user and entity behaviour analytics (UEBA), searchable encryption, multi-factor authentication (MFA), and more. As the list can be extensive, organisations should seek comprehensive robust security solutions that offer all the protections they need in order to ensure the safety of their data.

Organisations have witnessed the aftermath of data breaches and the costs associated with failing to keep sensitive data secure. Thinking ‘this could never happen to my company’ is erroneous and dangerous. 

Tags security industryinsider threats

Show Comments