When we think of cyber attacks as security threats to businesses, it’s easy to imagine teams of hackers cooking up new ways to break our established security systems. We have plenty of antivirus and activity monitoring tools at our disposal, so it makes sense that malicious users would need to break through these systems to inject their code into devices.
In truth, it’s far easier than that to infiltrate your network.
Vulnerabilities are hard to detect
Think of cyber threats in terms of physical theft. To protect your company, you may install high-level security features. Alarms. Cameras. Remote monitoring devices. You’re sure nothing can penetrate this sophisticated security—except you’ve forgotten one thing: You left the back door unlocked. And worse yet, the thieves know it, and they know how to get in, get out, and abscond in the night without leaving a trace.
It sounds simple, but if nobody can point out such a clear point of vulnerability, how can your system ever truly be safe? In essence, this is the current state of cybersecurity. The biggest threats to an organization aren’t radical malware attacks or brand new attack vectors; they’re the tried-and-true vulnerabilities that slip under the radar.
Don’t confuse popular with dangerous
Part of the problem with how we view cyber attacks as security threats to organizations is that minor vulnerabilities such as outdated software just aren’t exciting to talk about. They don’t get much press in IT security news, and thus, fewer people realize how troublesome they can be. But make no mistake, the most widely-publicized threats aren’t necessarily the biggest threats to your system.
We’ve discussed malware in the past (such as the Petya ransomware) that highlights this idea well. While Petya made international headlines in its heyday and was certainly destructive, its original form required the user to provide the malware with administrative access before the damage could be done. This is a big ask—and was an approval that no qualified IT professional would ever allow.
Because of this, Petya affected a limited number of systems during its initial run. It was popular, dangerous, and well-documented in its time, but in terms of overall risk, it doesn’t stack up to the weaknesses that already exist in your system.
Attacks target exposed systems – they don’t create them
We assume malware will strike when hackers develop a new strategy to crack into our secure systems, but in fact, the opposite is true. Think about it this way: Hackers target vulnerabilities; they don’t create vulnerabilities.
It’s far more likely that you’ll be affected by threats that enter through system vulnerabilities (your unlocked back door) rather than an entirely new attack vector. This is affirmed by Greg Young, research vice president at Gartner: “Gartner predicts that, through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.”
In other words, don’t get so paranoid about high-profile cybercrime that you neglect the weaknesses in your own backyard. The best way to protect your organization from the threats most likely to affect your system is to prioritize correcting known vulnerabilities.
Focus on your known vulnerabilities
Companies need to get a better handle on their vulnerability management platforms before these issues are noticed. Broadly, this involves working with your IT department to create a top-level threat assessment that reviews your current IT assets and identifies potential weaknesses.
Depending on your system, these weaknesses can be anything from outdated software to mismanaged data handling:
- Outdated and unpatched software that leave security loopholes open;
- Improper data validation procedures that may lead to cross-site scripting;
- Lack of session timeouts that leave credentials exposed on vulnerable systems;
- Security configurations that don’t restrict access to servers or databases.
Each of these issues lives entirely within your own system. For those with the proper know-how, there’s no hacking or brute force attacks needed. All they have to do is leverage these loopholes to sidestep your security.
Fortunately, the other side of this coin is that these types of issues are generally easy to correct. You don’t need to worry about a malicious user encrypting your entire system or demanding payment in exchange for access; security improvements can be made through a disciplined course of IT vulnerability assessment, identification, and correction.
And in most cases, your IT teams will already have an idea of what these vulnerabilities are. And in these cases, there’s no excuse. Take charge of your IT security and correct your weak points before setting your sights on larger goals.