It seems hard to believe in light of the growing security problems experienced by many enterprises over the past couple of years that organizations still haven’t got the the message about securing their technology and their workforce. However, Microsoft’s Digital Defense report observes that many organizations continue to fail to practice basic security measures.
Enterprise Data Security Measures
The report notes that less than 20% of Microsoft’s own customers use such “strong authentication” measures as multiple-factor authentication, a statistic it calls “shocking.” It also cites a Microsoft survey of Internet-of-Things attacks that found 20,994,693 cases of IoT devices that had “admin” as their admin password.
Leaving aside the cyberattacks with clear political motives, which the report explores in detail, a number of industries, globally, are also in the cross hairs. According to the research, cybercrime attacks on critical infrastructure — such as the ransomware attack on Colonial Pipeline — while often stealing the headlines, are only the tip of the iceberg. In fact the the top five industries targeted in the past year based on ransomware engagements include:
- Consumer retail (13%)
- Financial services (12%)
- Manufacturing (12%)
- Government (11%)
- Healthcare (9%).
The United States is by far the most targeted country, receiving more than triple the ransomware attacks of the next most targeted nation. The report covers the period from July 2020 to June 2021, and its findings cover trends across nation-state activity, cybercrime, supply chain security, hybrid work and disinformation.
While none of this is particularly surprising, the research does confirm trends that have been emerging in recent years. There are three in particular:
- According to Microsoft, the US government has taken unprecedented steps to address cybersecurity using laws and authority already on the books. The Executive Order announced in May has gone a long way to make the US federal government and those it works with more secure.
- Governments around the world are introducing and passing new laws requiring things like mandatory reporting when organizations discover cyberattacks.
- Both governments and companies are voluntarily coming forward when they’re the victims of attacks. This transparency helps everyone better understand the problem.
Related Article: Here's Where to Start With Your Information Security Program
Do the Enterprise Data Security Basics Well
Jacob Ansari is chief information security officer (CISO) of Tampa, Fla.-based Schellman & Company, a global independent security and privacy compliance assessor. He points to the fact that while the Microsoft report discusses a number of findings and recommendations, its first bullet point in the conclusion section sums it up best: Do the basics well.
Many of the basics that security practitioners have recommended for years still hold true: apply software updates in a timely manner, secure user access (especially remote access and especially with multifactor authentication, limit access, collect useful logs and take action on what they show. “We keep repeating these axioms because they're actually hard to do, particularly at scale. Applying security updates on a regular schedule for a wide variety of software components, both backend and user endpoints creates a sprawl of complexity very quickly,” said Ansari. “Finding and fixing issues in your own applications is, necessarily, even more challenging.” More to the point, while security experts spend a great deal of time warning enterprises leaders about the problems, these very security practitioners are just as capable of the lazy options as anyone else, notably putting off updates for browser software or mobile devices, regular reboots when you've finally got all of your tabs opened to the sites you need, double checking that email attachment before opening it.
Changing these aspects of an organization is a cultural shift that requires a conscious trade off of better security practice vs. convenience or even efficiency. “It has to come from the top: if the senior leadership drives around with their browser's check engine light on or are the last to complete the security awareness training, the rest of the organization will figure it out very quickly and adapt their behavior accordingly," he added.
IT's Role in Data Security
Understanding the statistics presented in the report requires a look at how most companies view the role of IT in its organization. Many companies take a "service oriented" view of IT — meaning the number one mandate for IT is to improve user experience, said Lori Wright, head of the Technology practice at Atlanta-based law firm, Arnall Golden Gregory.
An inescapable truth of security is that the more secure a system gets, the less user friendly it will be. For example, two factor authentication requires one extra step to log in. Changing a password from admin requires someone to remember a password, often with convoluted requirements.
An IT department with a service oriented mandate will never result in a secure infrastructure. Companies must set an information security department that is separately charged with security with an officer empowered to resolve the tension between IT and information security or companies need to recast the objectives of their existing IT department to prioritize security over ease of use.
Businesses Putting Profit Before Data Security
So if all these problems have been part of the enterprise landscape for years, then why is security still a problem? One theory, according to Gary Davis, chief evangelist with Plano, Texas-based cybersecurity firm Intrusion is that most organizations are reluctant to enforce strong security controls because it may impact their ability to generate revenue. They basically put profit above all else.
For those enterprises that realize a single breach can be catastrophic and unacceptable, they’re moving away from a familiar, but incorrect, line of thinking that traditional signature based defense-in-depth cybersecurity products can thwart an increasingly sophisticated adversary. “Instead they are starting to look for products that can effectively address exploits that have never been seen yet could impact their business,” he said.