The number of data breach victims is growing at a steep rate. Just how steep? In 2021, Identity Theft Resource Center (ITRC) detected around 20 percent more breaches than in 2020.
Unfortunately, this worrying trend is expected to continue in 2022, and it concerns small and medium-sized businesses (SMBs) just as much as large enterprises.
Despite all the cybersecurity investments you’ve made so far, your organization could still join the rapidly expanding list of data breach victims unless you avoid making the common cybersecurity mistakes described in this article.
6 Critical Cybersecurity Policies Every Organization Must Have
1. Your IT Assets Live in the Shadows
Shadow IT is the term used to describe information technology assets within an organization that have been implemented outside of the IT department, typically by individual employees who want to improve their productivity.
The proliferation of shadow IT is much greater than what many leaders estimate, with 80 percent of employees admitting to using SaaS applications at work without getting approval from IT. The global embrace of the hybrid work model has created an even larger breeding ground for shadow IT since employees naturally feel more in charge of their IT environment when working from home, especially using their personal devices.
The problem is that IT assets that live in the shadows are difficult to defend against cyberattacks, so they represent a major threat to the whole organization. To combat shadow IT, organizations need to have in place policies that prohibit the use of IT assets without prior approval, and they should also invest in IT asset monitoring to reveal all existing and future assets.
2. You Don’t Install Available Patches in a Timely Manner
On December 9, 2021, Alibaba Cloud’s security team disclosed a zero-day vulnerability called Log4Shell (CVE-2021-44228).
This vulnerability was so severe that many cybersecurity professionals described it as apocalyptic when they heard about it for the first time because it impacted large swaths of the global IT infrastructure and allowed cybercriminals to do basically anything they wanted with the vulnerable system.
The first round of fixes for this vulnerably had actually been available for three days before the vulnerability was published, but many organizations took their time to install them, and some have yet to do so. Cybercriminals, on the other hand, took just 5 days to probe almost half of all corporate networks globally for the vulnerability as they raced to exploit it.
The takeaway from Log4Shell is that security patches need to be installed as soon as possible because cybercriminals go to great lengths to breach vulnerable systems before patching takes place.
3. Your Employees Undermine Your Cybersecurity
85 percent of data breaches involve a human element, according to the Verizon Business 2021 Data Breach Investigations Report, which analyzed 29,207 security incidents spanning 88 countries, 12 industries, and 3 world regions.
Employees are responsible for so many data breaches because cybercriminals realized a long time ago that social engineering makes it easy for them to achieve their goals. That’s why 75 percent of all IT decision makers say phishing attacks are a top security threat.
What’s more, employees make mistakes and, often unknowingly, undermine cybersecurity measures by taking shortcuts when chasing deadlines, such as when they share sensitive information and files in an unsecured way or reuse the same password over and over again.
Regular cybersecurity awareness training can help employees recognize phishing attempts and become more aware of how their actions affect the organization’s cybersecurity posture, making it a necessary investment.
4. You Don’t Have a Tested Incident Response Plan
The purpose of an incident response plan is to document the steps to take in response to a security breach. A comprehensive incident response plan can reduce downtime, maintain public trust, and avoid non-compliance penalties.
But despite the benefits, 39 percent of small and medium-sized businesses don’t have an incident response plan, according to findings from a Keeper Security/Ponemon Institute survey. Should such SMBs experience a security breach, their response will likely be sub-optimal.
Of course, simply creating an incident response plan isn’t enough. The plan must be tested to verify its effectiveness, and it must also be regularly updated to reflect changes within the organization.
5. Your Cybersecurity Is Based on Legacy Solutions
The threat landscape looked vastly different back when signature-based antivirus solutions were all the rage. Today, we live in the era of ransomware, fileless malware, and other highly sophisticated attacks that can’t be reliably detected using legacy solutions.
As if that wasn’t enough, the clearly defined security perimeters around organization’s IT networks have dissolved over the years because most organizations now have at least some of their data and applications in the cloud.
Organizations that still rely on legacy cybersecurity solutions should upgrade them in 2022 to unlock advanced machine learning and cloud protection capabilities capable of holding even the most sophisticated attacks at bay.
Help Us Keep Your Cybersecurity from Failing in 2022
For SMBs, keeping up with ever-evolving cybersecurity threats is a huge challenge. For us at OSIbeyond, it’s something we do every day.
Instead of putting your business objectives aside to solve complex cybersecurity problems that are outside your area of expertise, you can take advantage of our enterprise-grade cybersecurity solutions designed for businesses such as yours.
Schedule a free meeting with us to get started, and we’ll help you keep your cybersecurity from failing in 2022.