March 5, 2019 By Douglas Bonderud 4 min read

Spring is (almost) here, which means it’s time for some in-house security cleaning. With the holiday shopping season — one of the most treacherous times of year for security — in the rearview, organizations should take a step back to assess what is working, drop what isn’t and invest in the tools they need to take their security strategy to the next level.

With that in mind, let’s take a closer look at three cybersecurity practices chief information security officers (CISOs) need to toss this year, and three that could help reduce overall risk for the enterprise.

Clean Up Your Security Act This Spring

Regardless of the size or type of company, awareness level of employees, or maturity of the technology infrastructure, there is always room for security leaders to improve the enterprise’s overall risk posture. CISOs should crack down on these bad habits to help clean up their organizations’ security act this spring.

1. Patch Postponement

Other tasks often take priority over patching, especially if updates aren’t considered critical. What happens if patches cause app outages, network challenges or productivity loss? This is especially problematic when CISOs tackle spring cybersecurity cleaning. Given the high level of disruption that comes with annual cleanups, patches are often put off until later, but in many cases later never comes.

Here’s the good news for security hygiene: According to a Kenna Security report, less than 2 percent of published Common Vulnerabilities and Exposures (CVEs) have been actively exploited in the wild. The not-so-good news is that, with more than 3 billion vulnerabilities identified in volume two of the same study, this amounts to more than 540 million potentially problematic exploits. It’s no surprise, then, that only 30 percent of vulnerabilities are remediated within 30 days of being discovered.

To get back on track, organizations must toss the notion that patches are optional and prioritize patch progress.

2. Overvalued VPNs

Many companies still use virtual private networks (VPNs) as their preferred method of securing network access, especially for remote users. The problem is that, as reported by Tech Beacon, VPNs often provide complete network access (whether it is needed or not), are cumbersome to manage and can fragment security controls.

Consider the use case for VPNs. Designed to secure internal services when users interact with external applications, VPNs excel at encrypting traffic and obfuscating origin points. But they come with a built-in flaw: They’re natively external, introducing an inherent element of risk. This externality is contagious. The rise of mobile and cloud computing services has shifted the bulk of corporate IT outside of local server stacks, in turn reducing the efficacy of VPN offerings. Widespread use of VPNs, meanwhile, has led to an uptick in VPN-based malware; according to Top10VPN, roughly 20 percent of the top 150 free Android VPN clients may contain malicious code.

The bottom line is that while VPNs have their uses, many corporations are due for a connection cleanup to maximize their value.

3. Password Paradoxes

CISOs are stuck: While standard login security measures remain a staple of network access, they’re notoriously insecure. The proof is in the passwords, and some of the worst of this past year included “123456,” “sunshine,” “qwerty” and the ever-popular “password,” according to SplashData, making it easy for malicious actors to compromise accounts and steal data.

Common cybersecurity practices to improve password potency include asking employees to regularly change passwords or use complex combinations of characters and numbers. The problem is that, according to LastPass, only 55 percent of users change their passwords — even when hacked. Increased complexity, meanwhile, can lead to user frustration and insecure password practices such as keeping hard copies near desktop computers. Even password managers are no guarantee of safety; misconfigured cloud storage or targeted attacks can put millions of credentials at risk.

Get on Track With These Next-Level Cybersecurity Practices and Technologies

While streamlined security hygiene helps limit overall risk, deep cuts must be balanced with solid cybersecurity additions. This spring, start by bolstering your strategy with the following cutting-edge technologies.

1. Prioritize Patching With Intelligent Automation

2019 will see the rise of automated tools that can schedule patches and other maintenance around corporate needs and help avoid the problem of put-off patches. As noted by Forbes, “more organizations will combine artificial intelligence and robotic process automation to create digital workers.”

Artificial intelligence (AI) offers a more efficient way to manage the biggest problem with security patching: prioritization. Given the sheer number of vulnerabilities and patches, it’s difficult for CISOs to know what’s worth the workflow interruption and what can go (temporarily) unpatched. Intelligent automation can help streamline this process.

2. Shift to Zero-Trust IAM

Identity is everything. While VPNs exist as a catch-all — a kind of all-in-one security solution that often overprovisions access — advanced identity and access management (IAM) tools can help solve this problem by focusing on user identity as the defining factor for access.

IAM solutions focus on zero-trust paradigms, which CSO Online described as a model of “never trust, always verify.” By using multiple factors to authenticate user identities and providing IT professionals with granular management controls, it’s possible to tackle security on a per-user rather than per-connection basis and enhance the protection of critical assets.

Also in development are blockchain-based IAM technologies that link access to a shared ledger of identities. The challenge is to balance the need for ID certainty against potential privacy concerns.

3. Address Persistent Password Problems With U2F

It’s one thing to acknowledge that passwords are a problem — many IT professionals can speak at length about the issues surrounding typical access credentials. The hard truth, however, is that passwords aren’t going anywhere.

But it’s not all bad news: Companies can toss overly restrictive password management by pairing passwords with additional authentication layers. Two-factor authentication (2FA) is the most obvious choice, but recent research produced proof-of-concept attacks that can easily spy on 2FA delivery methods. Another option is universal second factor (U2F), which uses physical tokens to eliminate the possibility of man-in-the-middle (MitM) authentication attacks. With 2FA now potentially vulnerable, U2F offers a way to secure valuable assets with minimal workflow disruption.

Spring Into Action to Boost Your Security Posture

Spring offers the perfect opportunity to clean out old cybersecurity practices that are cluttering up IT environments and bolster security efforts with more effective additions.

Start with patch postponement. Instead of waiting for the worst and hoping for the best, leverage intelligent automation to prioritize application updates. Reduce corporate reliance on VPN solutions by opting for ID-based IAM, and push back against bad passwords with the secure authentication of U2F.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today