March 5, 2019 By Douglas Bonderud 4 min read

Spring is (almost) here, which means it’s time for some in-house security cleaning. With the holiday shopping season — one of the most treacherous times of year for security — in the rearview, organizations should take a step back to assess what is working, drop what isn’t and invest in the tools they need to take their security strategy to the next level.

With that in mind, let’s take a closer look at three cybersecurity practices chief information security officers (CISOs) need to toss this year, and three that could help reduce overall risk for the enterprise.

Clean Up Your Security Act This Spring

Regardless of the size or type of company, awareness level of employees, or maturity of the technology infrastructure, there is always room for security leaders to improve the enterprise’s overall risk posture. CISOs should crack down on these bad habits to help clean up their organizations’ security act this spring.

1. Patch Postponement

Other tasks often take priority over patching, especially if updates aren’t considered critical. What happens if patches cause app outages, network challenges or productivity loss? This is especially problematic when CISOs tackle spring cybersecurity cleaning. Given the high level of disruption that comes with annual cleanups, patches are often put off until later, but in many cases later never comes.

Here’s the good news for security hygiene: According to a Kenna Security report, less than 2 percent of published Common Vulnerabilities and Exposures (CVEs) have been actively exploited in the wild. The not-so-good news is that, with more than 3 billion vulnerabilities identified in volume two of the same study, this amounts to more than 540 million potentially problematic exploits. It’s no surprise, then, that only 30 percent of vulnerabilities are remediated within 30 days of being discovered.

To get back on track, organizations must toss the notion that patches are optional and prioritize patch progress.

2. Overvalued VPNs

Many companies still use virtual private networks (VPNs) as their preferred method of securing network access, especially for remote users. The problem is that, as reported by Tech Beacon, VPNs often provide complete network access (whether it is needed or not), are cumbersome to manage and can fragment security controls.

Consider the use case for VPNs. Designed to secure internal services when users interact with external applications, VPNs excel at encrypting traffic and obfuscating origin points. But they come with a built-in flaw: They’re natively external, introducing an inherent element of risk. This externality is contagious. The rise of mobile and cloud computing services has shifted the bulk of corporate IT outside of local server stacks, in turn reducing the efficacy of VPN offerings. Widespread use of VPNs, meanwhile, has led to an uptick in VPN-based malware; according to Top10VPN, roughly 20 percent of the top 150 free Android VPN clients may contain malicious code.

The bottom line is that while VPNs have their uses, many corporations are due for a connection cleanup to maximize their value.

3. Password Paradoxes

CISOs are stuck: While standard login security measures remain a staple of network access, they’re notoriously insecure. The proof is in the passwords, and some of the worst of this past year included “123456,” “sunshine,” “qwerty” and the ever-popular “password,” according to SplashData, making it easy for malicious actors to compromise accounts and steal data.

Common cybersecurity practices to improve password potency include asking employees to regularly change passwords or use complex combinations of characters and numbers. The problem is that, according to LastPass, only 55 percent of users change their passwords — even when hacked. Increased complexity, meanwhile, can lead to user frustration and insecure password practices such as keeping hard copies near desktop computers. Even password managers are no guarantee of safety; misconfigured cloud storage or targeted attacks can put millions of credentials at risk.

Get on Track With These Next-Level Cybersecurity Practices and Technologies

While streamlined security hygiene helps limit overall risk, deep cuts must be balanced with solid cybersecurity additions. This spring, start by bolstering your strategy with the following cutting-edge technologies.

1. Prioritize Patching With Intelligent Automation

2019 will see the rise of automated tools that can schedule patches and other maintenance around corporate needs and help avoid the problem of put-off patches. As noted by Forbes, “more organizations will combine artificial intelligence and robotic process automation to create digital workers.”

Artificial intelligence (AI) offers a more efficient way to manage the biggest problem with security patching: prioritization. Given the sheer number of vulnerabilities and patches, it’s difficult for CISOs to know what’s worth the workflow interruption and what can go (temporarily) unpatched. Intelligent automation can help streamline this process.

2. Shift to Zero-Trust IAM

Identity is everything. While VPNs exist as a catch-all — a kind of all-in-one security solution that often overprovisions access — advanced identity and access management (IAM) tools can help solve this problem by focusing on user identity as the defining factor for access.

IAM solutions focus on zero-trust paradigms, which CSO Online described as a model of “never trust, always verify.” By using multiple factors to authenticate user identities and providing IT professionals with granular management controls, it’s possible to tackle security on a per-user rather than per-connection basis and enhance the protection of critical assets.

Also in development are blockchain-based IAM technologies that link access to a shared ledger of identities. The challenge is to balance the need for ID certainty against potential privacy concerns.

3. Address Persistent Password Problems With U2F

It’s one thing to acknowledge that passwords are a problem — many IT professionals can speak at length about the issues surrounding typical access credentials. The hard truth, however, is that passwords aren’t going anywhere.

But it’s not all bad news: Companies can toss overly restrictive password management by pairing passwords with additional authentication layers. Two-factor authentication (2FA) is the most obvious choice, but recent research produced proof-of-concept attacks that can easily spy on 2FA delivery methods. Another option is universal second factor (U2F), which uses physical tokens to eliminate the possibility of man-in-the-middle (MitM) authentication attacks. With 2FA now potentially vulnerable, U2F offers a way to secure valuable assets with minimal workflow disruption.

Spring Into Action to Boost Your Security Posture

Spring offers the perfect opportunity to clean out old cybersecurity practices that are cluttering up IT environments and bolster security efforts with more effective additions.

Start with patch postponement. Instead of waiting for the worst and hoping for the best, leverage intelligent automation to prioritize application updates. Reduce corporate reliance on VPN solutions by opting for ID-based IAM, and push back against bad passwords with the secure authentication of U2F.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today