Just Begging for a Breach: How Organizations Unwittingly Facilitate Their Own Hacks

The asymmetrical nature of cybersecurity (defenders need to be perfect, attackers only need to be right once) makes the job of critical data asset protection a tough one.

Sadly, many organizations make this task even more difficult by unwittingly giving hackers the “keys to the kingdom.” Despite spending precious time and resources trying to stave off attacks, they make more unforced errors than a first-time tennis player. Ultimately, these mistakes can leave their defenses so wide open that it’s akin to pinning a “hack me” sign on the (metaphorical) back of the organization.

In this blog post, we want to help you avoid such disastrous scenarios by delving into a few common “cybersecurity self-owns,” before outlining how XM Cyber is designed to solve these problems.

Spotty Cyber Hygiene

Poor human hygiene is often a quick way to invite more serious systemic health problems. Not brushing and flossing can lead to gum disease, for example. Failing to take care of your cyber hygiene is a common way to allow the entrance of a digital pathogen that leads to problems far worse than bad breath.

Good cyber hygiene is a set of routine practices that help organizations resist cyber threats. These practices harden into good habits over time. Much as people wield toothbrushes, security teams use products and services to help manage threats and risks. Some of these products are tried-and-true fundamental IT security solutions, such as anti-virus/malware protection, firewalls, and password managers.

Remembering to keep these tools updated and in good working order and following best practices can help provide baseline protection. Failing to do so, however, is a flashing green light for hackers.

Antiquated Vulnerability Management

Having a suite of security products isn’t enough to avoid a worst-case scenario type of data breach — you also have to choose the right tools for your particular needs. Too many organizations are reliant on a “scan and patch” approach to vulnerability management (VM). Defenders quickly become deluged by vulnerabilities and often struggle to determine the best path to proceed.

The popular approach of relying on CVSS-based vulnerability scanning to guide VM work is leaving enterprises at grave risk. While CVSS can tell you the severity of a vulnerability, it cannot relay the risk that it truly poses to your business-critical assets. A “severe” vulnerability may pose no risk to your organization at all, while one of less severity may be a doomsday scenario waiting to unfold.

Failure to Understand Risk and Prioritize for Criticality

Adding key risk context to vulnerability management is enormously important in terms of guiding your prioritization efforts. You need to understand not just how severe a vulnerability may be, but the risk an exposure would pose to your most business-sensitive assets. The ability to map attack vectors toward critical assets and understand how they are most likely to be leveraged is essential toward effectively managing risk.

Without this capability, prioritization is a guessing game. You’re plugging cracks in a dam with no ability to see which cracks are the largest or most threatening. Operate like this too long, and one day the levee is going to break.

Rote, By-the-Numbers Teaching and Training

Famous 18th century English poet Alexander Pope said, “to err is human, to forgive, divine.” Had Alexander Pope been an embattled 21st-century CISO working overtime to keep his company safe, he may have been a little less forgiving. With COVID-19 radically expanded attack surfaces and creating massive new shadow IT concerns, it has become imperative to help workers prevent unforced errors such as failing to manage passwords effectively or getting involved in obvious phishing scams.

Too often cybersecurity training is a box-ticking exercise — something that has to be endured. Organizations that make the effort to make training actually resonate will help their workers become far more conscientious and savvy — and less in need of divine forgiveness.

How XM Cyber Makes You a Harder Target

Hackers are like anyone else — they want maximum ROI for minimum effort. Some hackers also lack the skill and sophistication to launch advanced attacks. This means that organizations that make unforced errors are always going to be at grave risk because they are the softest kind of target. Hang the metaphorical “hack me” sign, and you can rest assured that someone, somewhere is waiting to take up that invitation.

XM Cyber solves these problems by providing the highest level of protection for critical assets. Even if gaps develop from poor cyber hygiene or human error, XM Cyber technology provides a backstop by running continuous and automated attack simulations, identifying vulnerabilities as they arise, and providing guided prioritization based on key attack-centric, risk context.

By focusing on the small number of exposures that jeopardize critical assets, XM Cyber allows for surgical prioritization precision. Even if you’ve unwittingly left the back door open to attackers, our attack-centric exposure prioritization technology has the ability the quickly sound the alarm — and help you immediately ensure your crown jewel assets are safely tucked away.

Click here to learn more about how XM Cyber technology works.

Marcus Gilban is Director of Marketing Communications at XM Cyber