The backbone of any connected security system — and especially a super-connected smart building — is the network, which is increasingly vulnerable the more things you connect to it. That is why the cyber-stance, or cyber-hygiene, a facility puts in place is absolutely critical to keeping things running smoothly and helping protect against damaging hacking attacks.
A recent report by ExtraHop found that some cyber leaders may be a little too confident in their organization’s cybersecurity posture. In the report, 88 percent of cyber leaders expressed confidence in their organization’s risk management abilities, yet the report also found that many organizations are unprepared to mitigate risk — largely due to poor cyber hygiene and inadequate budgets.
Poor cyber hygiene is particularly problematic of cyber risk in the agricultural, educational and government sectors, with 51 percent of respondents reporting that more than half of their organization’s cyber events are related to poor cyber hygiene, and one out of two organizations deploying one or more insecure network protocols that malicious actors have been known to leverage.
Equally concerning, A report by Bitsight and Diligent, which received contributions from 4,000 medium to large-sized companies across the globe, found that only 5 percent of businesses have a cyber expert as a member of staff.
“It takes a village to perform well in cybersecurity,” said Ken Dunham, cyber threat director at Qualys Threat Research Unit about the report. “It’s not enough to only elevate the visibility and authority of the CISO, or have a board involved in cybersecurity matters. It takes an entire ecosystem and culture of an organization, united and aligned, with clear focus and priorities, to achieve cybersecurity maturity manifested in operations.”
Dunham also gave this practical advice: “Pillars of success frequently involve top-down leadership that understands this vision and what risk really is, and how to unify, empower, and align global disparate teams. Organizationally everyone is involved from the board down to separate mature teams of risk, audit, SecOps, and others, all working together in regulatory, compliance, and cybersecurity framework-driven operations to ensure efficiency and efficacy in outcomes. Once an organization is able to become process driven, instead of people being solely dependent on SecOps, the governance risk management process can be automated and optimized to prioritize risk with measurable results, compared to those that do not implement these core components of a risk management program.”
Cyber hygiene is going to become even more of a critical need the more AI and generative AI become involved in business life.
The AI Security & Governance Report released by Immuta found that 80 percent of data experts see AI as increasing data security challenges. What’s more, 55 percent say the possibility that sensitive information may be inadvertently exposed by large language models (LLMs) is their greatest concern, while 52 percent are worried that sensitive information may be exposed to LLMs through user prompts.
Even more — 57 percent — reported an increase in AI-driven attacks in the last year.
The good news about AI is it may be helping increase both the sense of urgency companies feel when it comes to preparing for cyber threats and the tools they have to do so.
For example, a recent report from Netacea found that 100 percent of security leaders considered their organizations’ security stack to be improved since the adoption of AI tools.
However, the other side of that coin is the majority of those surveyed also expect that AI will become a more prevalent tool in the tool kit of cybercriminals, with 93 percent predicting that AI cyberattacks will become a daily occurrence by 2025.
There are also challenges from within companies who are trying to improve their cyber-stance. A report from LogRhythm found that while 95 percent of organizations were altering their cybersecurity strategies there is a gap in efficient communication between security teams and non-security leaders: 44 percent of non-security leaders do not understand the regulations that the organization must comply with, and 59 percent have difficulty explaining the importance of specific security systems to non-security stakeholders.
With near daily cyber-attacks making the news these days, it is more critical than ever to make sure all the stakeholders in your organization know both the “what’s” and the “why’s” of the policies, as well as to make sure those policies are as up-to-date as possible.
As Dunham explained, commenting on the recent nation-state cyberattack at MITRE Corporation, “The race to patch against vulnerabilities and de-risk is real in a world where adversaries are lying in wait to attack upon opportunity. In 2024, companies must apply due diligence at every step of the entire lifecycle of threat and vulnerability management (TVM) lifecycle, with the ability to rapidly prioritize patching, workarounds and other forms of remediation, when justified by escalating threats. The need for strong cyber threat intelligence (CTI) driven programs has never been stronger to proactively reduce risk, quickly detect and remove threats as fast as possible in the war against cyber threats. Excellence in SecOps includes lowering the impact of an incident by ensuring controls internally to identify and remove threats quickly as well as reduce the blast radius when an attack occurs.”