1. Overconfidence
The most common mistake made by cybersecurity professionals is overconfidence, and a false sense of security, said Bahram Attaie, assistant professor of practice at the School of Information Studies at Syracuse University. “They believe that they have implemented all the right controls, and as a result they think they are un-hackable,” Attaie said.
Overconfidence that a single or few selected layers of protection is also a mistake, said Andrey Pozhogin, cybersecurity expert at Kaspersky Lab North America. “In a strategy game, every unit, no matter how powerful or agile it is, can be defeated by another unit,” Pozhogin said. “The same is true for security. There’s no silver bullet, and that’s exactly the reason why security has to be multi-layered.”
2. Bypassing corporate controls
When corporate controls prevent cybersecurity experts from doing their job efficiently, they often bypass these controls or turn them off, Pozhogin said. “As security layers need to be put in place, there will be incompatibilities between different technologies, so workarounds will be found, competing technologies will need to be turned down or off, repetitive settings will have to be changed and will be forgotten to be changed across different policies,” Pozhogin said.
Disabling or removing protections such as antivirus, network security protocols or two-factor authentication for convenience can lead to an exposed system with deliberately bypassed protections and unencrypted documents, said Travis Farral, director of security strategy at Anomali. “Any click on a phishing email or successful drive-by attack on exposed systems will give attackers access to them and anything that can be accessed through them,” he added.
3. Negligence toward false positives
Some cybersecurity professionals are negligent toward false positives–situations when a security solution labels a benign file as malware, and blocks it. The potential outcomes of this are corruption of data, interruption of operation or complete inability to operate, Pozhogin said. “Some security experts downplay the risk of high false positives and choose solutions for the security stack that are tuned to paranoid levels, thus producing false positives,” he said.
4. Failing to review the environment as a whole
Security experts are constantly responding to fires and urgent drills, but often do not go back and review if the environment itself is becoming less secure, said Ashwin Krishnan, author of Mobile Security for Dummies. For example, someone may escalate privileges for a senior admin to super admin to do super admin tasks for the day, filling in for her boss on vacation, but not go back and revoke those privileges because other issues came up.
It’s also important to do a holistic systems review after a penetration test, said Dale Meredith, cybersecurity and ethical hacking instructor at Pluralsight.
“Once the security professional secures their network infrastructure, either via a penetration test or a thorough examination, they have a tendency to relax and assume, that the infrastructure is and will continue to remain secure from attacks,” Meredith said. “Instead we should be looking at our penetration test as a baseline or starting point.” Networks are very dynamic, and installing a new piece of equipment or software, or even patching software or applications, can change your security posture overnight, he added.
5. Disregarding the user
Although most security professionals realize the user is the weakest link, many disregard users as part of the solution, claiming “there is no patch for stupidity,” said Corey Nachreiner, CTO of WatchGuard. “The truth is, user training can be a key aspect of your security strategy if you’re willing to make education a priority,” he said. “Even small changes in employee behavior will improve your security posture.”
Even if your technology is best-in-class, if users aren’t educated on how to act and think with respect to security, there will always be problems, said Andrew Hamilton, CTO of Cybriant.
6. Letting your skills lapse
Assuming you have all the skills you need in the field is a dangerous habit, said Andrew Newman, CEO and founder of Reason Core Security. “In this line of work, you need to keep refreshing your skills or you can and will fall behind,” he said.
7. Not patching immediately
Companies often spend thousands of dollars on security solutions, only to have them bypassed by something as simple as not applying a security patch right away, Meredith said. Take the recent WannaCry and GoldenEye attacks: Companies that had implemented a complete security configuration management system weren’t affected, because Microsoft had already patched these vulnerabilities. However many companies fail to apply critical security updates until at least a week after they are released, putting them at risk, Meredith said.
8. Alert fatigue syndrome
Alert fatigue syndrome is the term coined to explain the phenomenon of cybersecurity analysts not responding to security alerts because they are flooded with so many, said Matt Warner, director of security services at NetWorks Group. “As a result, important ones get missed and threats are not detected on time,” he said. “There is no easy fix for this other than ensuring that systems are tuned to ensure that only the most important security alerts, based on severity and confidence, are forwarded to an analyst for taking appropriate actions.”
9. Relying too heavily on third-party vendors
Companies sometimes rely too heavily on hardware and software vendors to protect them from security incidents, Meredith said. “As cybersecurity professionals it’s our job to stay ahead of the attackers,” he said. “While security hardware and software solutions are a cog in our security environment, they are simply that: One cog in a massive amount of resources.”
With so many offerings on the market, cybersecurity professionals may also fear missing out on the latest artificial intelligence or machine learning alternatives to their current tools, said Christopher Ensey, COO of Dunbar Security Solutions. “I would advise anyone buying cybersecurity products to make sure they are getting the most out of their current assets before taking a leap on the next-gen something or other,” he added.
10. Ignoring the business side
Cybersecurity is an industry full of acronyms, such as IPS, GAV, XSS, and SQLi, said Nachreiner. While these are helpful when talking to fellow industry professionals, you need to remember that many business owners do not use this language. “Know your audience,” Nachreiner said. “How you speak to the C-level about security is quite different than what you’d cover with the IT managers and administrators.”
If your security organization has to explain an incident, request budget, or advocate for a particular action, chances are that the decision maker is not deeply technical, said Sandy Carielli, security technologies director for Entrust Datacard. “We need to be able to communicate with business leaders in business terms,” she said. “Bringing a technical argument to business leaders is bringing a knife to a gunfight.”
Gaining a wider understanding of an organization’s business needs is also key for cybersecurity professionals, said Joe Partlow, CTO of ReliaQuest. “Focusing too closely on the security side, without the larger context of what a business needs to be successful and how fast it needs to move, will render even the best security tactics useless,” he said. “At the same time, it is equally important that C-suite business leaders understand the role and capabilities of a security team.”
