Spending big bucks is not always necessary for corporations to put a decent cybersecurity program in place.
Corporations can save on their IT security budgets and still possibly prevent major data breaches by simply better securing a handful of popular attack vectors and by properly educating staff on cyber security, according to cybersecurity experts.
IT security firm Praetorian's report “Dramatically Improve Corporate IT Security Without Spending Millions” detailed the results of a series of penetration tests and found weak domain user passwords were a “root cause” of compromise in 66 percent of cases, broadcast name resolution poisoning in 64 percent of cases, local administrator attacks in 61 percent of attacks, cleartext passwords stored in memory in 59 percent of cases, and insufficient network access controls in 52 percent of attacks.
The tests were performed on 75 unique organizations, simulated 450 real-world attack instances, and designed to mimic an attacker's playbook. Each root cause was defined as a security weaknesses used to achieve compromise a network or engagement objective, according to the firm's report.
Concerning domain user passwords having a long password is more important than complexity, Lieberman Software VP of Product Strategy Jonathan Sander told SCMagazine.com via email comments. Song lyrics, movie lines, and parts of poems are all examples of source material for strong passwords that are easy to remember without writing them down and easy to look up if forgotten, Sander said.
He added execs often incorrectly assume everyone is just as motivated to protect the company as they are, but this is not always the case and it's important to motivate and educate people on strong cybersecurity practices.
“When people think about security, they think about building walls,” Sander said referring to firewalls and other digital barriers used to protect data. “It doesn't matter if you have a big wall if anyone can open the door and let someone in.”
Sander said a good way to educate and motivate staff is to occasionally offer free donuts in the break room and tell short, simple, and interesting stories on how to improve cybersecurity hygiene.
Experts agree, enterprises often spend millions on tech and pennies on educating people, NINJIO Founder and CEO Zack Schuler told SCMagazine.com via email comments.
He said this is one of the biggest mistakes companies could make and that there is a correlation between the education of employees and the amount of security software needed.
He said the hard part of training workers is making sure that they are engaged.
“Hackers worst fear is a person on the other side who understand how to attack them,” Schuler said.