Things are changing, IT security topics are in mainstream media, ransomware attacks are almost daily taking headlines. World Economic Forum 2022 report lists cyber threats among greatest global risks
It could seem like things are taking a turn for the worse, and if we look at the growing number of security incidents, that might even be true. This could have been the end of a very short and grim blog. However, IT or cybersecurity is not issues without solutions or riddles we don’t know how to solve.
The solutions to many of the challenges we face are well-known and might not even be that difficult to implement. For example, two factor authentication: Microsoft reports, only about 20% of Azure cloud users are using multi-factor authentication. based on numbers, even though we know that MFA could have prevented most accounts from being compromised.
Read more here: https://improsec.com/tech-blog/think-twice-before-launching-into-the-skies-hybrid-identities-and-separation-of-workloads-and-infrastructure-in-azure or https://news.microsoft.com/wp-content/uploads/prod/sites/626/2022/02/Cyber-Signals-E-1.pdf
We could also talk about patch management, it is well-known how to do it, many books have been written about it, but still, we often experience that the root cause of a high number of incidents are the result of unpatched systems. Risk management is not a complicated subject. We all know it makes sense to do, it allows you to manage and mitigate business risks, but in my experience, it is often not being done, or done completely independent from IT.
Read more here: https://improsec.com/cyber-blog/risk-appetite-does-that-mean-revenue-loss-for-dinner-or-cost-for-dessert
We know that security incidents are going to happen, and we can be better prepared if we have done things like table exercises, business continuity planning and red teaming, but most of the time, this is not done. A lot of company’s doesn’t even know who to call If a security incident happens. (Free advice, it is a lot less costly to have an agreement in place, beforehand). And the list goes on and on. So, should we not agree to start picking some of the low hanging fruits or even just pick them from the ground?!
I do also see clear improvements out there: Not that long ago, many saw cybersecurity as an IT problem entirely apart from other business risks. Cybersecurity wasn’t even close to something C-level needed to be involved in. Solutions were sold as an almost magic-like thing. Only few fully understood the products or what issues was solved precisely by the products.
What was very clearly understood was the underlying message: “Buy this box with blinking lights or something bad will happen.” Knowledge about services like penetration testing, tools or sometimes even methods was well guarded secrets. A dazzle of fearmongering was also used to spice up the message. I believed this is no longer the case, C-level and Board of Directors are paying more attention to cybersecurity, the security industry is sharing a lot more knowledge freely. We at Improsec, we share both through our blogs, but also with the tools we release.
Read more: https://improsec.com/tech-blog/improhound-identify-ad-tiering-violations
So, I’m pleased that times has changed. Nowadays, when Improsec go into a meeting, we are there to help the company to understand the risk and enable the right people to make their own decisions with the best insight we can provide. Improsec don’t make your decisions or take on your risks. However, with the deep knowledge we have for security, we can help you on the journey to improve security and making tomorrow a little safer. Last free advice this time: You can improve your security resilience a lot by doing a few basic changes or implementations, the first time around.
So, reach out if you need a dialog about how we can help carve out your unique security maturity path, and how we can pick some of your low hanging fruits. If it is security related, chances are we have an expert in our team, and if we don’t. we will also tell you that. Improving security always, not because we have to, but because it's the right thing to do