A common refrain you hear in executive meeting rooms and offices throughout the world is “complacency is a silent killer.” In every industry, from construction to cryptocurrency, healthcare to home design, the companies that rest on their laurels will find themselves falling behind the competition—often not realizing their competitive lead has eroded until it’s too late to catch up.
The world of cybersecurity is no different—one of the biggest mistakes that businesses make is becoming complacent in their approach to fortifying their businesses’ defensive posture after a relatively quiet period where the current defenses were effective enough. Often, cybersecurity is a budgetary afterthought, and it’s not well understood that you can’t just renew current security licenses every three years to ensure the best cyber protection.
This tendency to leave security as is over time is dangerous for companies because hackers and bad actors are constantly improving the sophistication and strength of their cyberattacks—almost in real-time—to bypass the security methods of yesterday and today.
Companies need to review their cybersecurity tool capabilities and methods on a frequent basis and stay one step ahead of cybercriminals. Fortunately, those too are being improved on a daily basis, with artificial intelligence and machine learning advances making today’s tools more effective and efficient than ever. On the other hand, because highly effective open-source artificial intelligence tools are available, hackers can leverage similar tools to thwart defensive actions nearly as quickly and for little to no cost. There’s little room for delay in upping a company’s defenses.
Because complacency is so hard to pinpoint—it often looks like actions not taken, rather than mistakes you can point to—it’s difficult to address as it happens. The only surefire way around complacency is to prevent it from setting in in the first place.
Staying ahead of complacency requires a multi-faceted approach—as I see it, there are four steps organizations need to take. Let’s look at each.
1. Continuously monitor the cybersecurity tools you have invested in already
The first step of any cybersecurity audit is determining how effective your current tools are at doing the job of thwarting bad actors and how frequently they update and expand to cover the latest attack strategies of cybercriminals. This is often where complacency in security rears its head; a company gets a top-of-the-line security suite and is well protected for a time, but then they assume that they can just leave those systems where they are for a long time, neglecting to realize that the same cybercriminals who were kept out by these tools are not resting and are developing methods to bypass those defenses in the future.
2. Invest in continuing cyber education for employees
Keeping a strong security posture means not just updating the tools you use, but ensuring that your employees are equipped to utilize them. In many cases, employees are the first line of defense. And I’m not only talking about the employees in IT and security departments, though of course making sure they stay up to date on the latest threats and mitigation tools and techniques is crucial.
It’s also important to keep non-IT employees educated on the threats out there due to the increasing prevalence of social engineering tactics by hackers. The most sophisticated technical defense in the world can stop a lot of attacks, but there’s still a vulnerability in a company’s defenses if James from sales is tricked into giving out his admin credentials or Patricia the receptionist is handed a flash drive by someone pretending to be an interviewee who just needs his resume printed off but the drive deploys malware when it’s plugged into her computer. Training employees to look out for common social engineering tactics and learn what to do in the case of a breach should not be ignored.
3. Promote a business culture of cybersecurity
This is related to the strategy outlined above regarding cyber education but is more broad and strategic. And it comes first—it’s hard to make much headway teaching your employees to remain vigilant for cyber threats if they don’t understand the importance of cybersecurity to their jobs and the company as a whole. Setting a tone starts with the C-suite and should expand down the line to VPs, directors, down to the lowest-level employees.
Make it clear that cybersecurity vigilance is a part of the company’s identity and is core to their everyday business. Encourage the adoption of emerging technologies and open dialogues for the best ways of keeping the company and its employees safe. This helps to ensure that employees are assets and not liabilities in the business’s operations.
4. Think like a hacker—find your vulnerabilities before they do
It’s hard to stay a step ahead of bad actors, but if you can adopt advanced persistent threat-hunting activities into your operations to think like hackers and identify (and mitigate) risks before they become issues, you’ll find your security posture and your ability to react quickly and effectively to attacks improving. Advanced persistent threats (APTs) attempt to evade traditional security processes and get into a company’s sensitive data and systems, staying there without detection for some time.
These are strong and sophisticated attacks—they often have the backing of a large criminal organization or even nation-state groups—and require a systematic and thorough approach to fend off, an approach that begins with coming at your own defenses as criminals would and spotting the potential vulnerabilities. Tools like behavioral analysis, an intelligence feed that is integrated into other security functions, network monitoring, and log analyses will allow you to hunt for suspicious behavior and cut off attempted breaches before they cause real damage.
Killing Complacency
Staying proactive and not operating under the assumption that yesterday’s security practices are up to snuff for today is necessary to keep a company’s data and vital operations safe from cyber attacks. A culture of cybersecurity that begins from the top of the company and flows down to training, education, and continuous improvement of both tools and methods for keeping bad actors out is the most effective way to give your company a fighting chance. Complacency may be a killer, but we can stay one step ahead of it—just like we can cybercriminals.
Jerry Derrick is Vice President of Engineering at Camelot Secure. He leads the company's engineering division and is responsible for the design, development, and sustainment of the Camelot Secure360 platform. Jerry's responsibilities also include the management of the product roadmap, research and development activities, and ensuring the overall security of the platform and customer data. A cybersecurity engineering veteran of over 20 years, Jerry understands and focuses on the importance of fusing people, processes, and technology to ensure Camelot Secure360 enables organizations to know their environments are secure against the latest threats. Before joining Camelot Secure, he worked at top military and government cybersecurity organizations to develop and deploy tools and capabilities to facilitate the more efficient and effective analysis of cybersecurity data. Jerry graduated from the United States Military Academy with a BS in Computer Science and will graduate with a Master of Liberal Arts, Extension Studies (Information Management Systems), from Harvard University in the Fall of 2023.