The most challenging thing about cybersecurity is the frequency at which it evolves. Many tactics that worked just a few years ago are no longer valid in today’s ecosystem. Here are a few obsolete cybersecurity practices that are doing more harm than good – and that you should be rid of sooner rather than later.
Technology has evolved more in the past several decades than it has over the entire course of human history. And that breakneck pace of evolution shows no signs of stopping. It’s a bit staggering to think about.
- In 1980, the Internet was little more than a private network for the military. Today, it’s the most powerful communication and informational tool ever created, and Internet access is considered a utility like electricity or water.
- In 2000, smartphones were largely used for phone calls and little else. Today, they’re used for everything from communication to entertainment, and even a mid-range smartphone is more powerful than a 1970s supercomputer.
- In 2010, the Internet of Things was still little more than a pipe dream, all potential and little payoff. Today, we’re connecting everything to the web, from light bulbs to refrigerators to transport trucks.
You get the idea.
With such rapid evolution, you’d expect cybersecurity to keep pace. In many cases, however, it doesn’t. Too often, organizations approach security today in the same way they’d approach it five, ten, or even fifteen years ago.
In so doing, they’re putting themselves at risk. Even assuming they keep their systems up to date and train their employees properly, they are still vulnerable. They still risk their data being compromised.
The good news is that if you’re aware of these shortcomings, it’s fairly easy to shift away from them. Here are a few of the more egregious practices that you need to kill off if you value your data.
1. SMS Authentication
- The problem: Multi-factor authentication is proper. Everyone should use it. That’s not up for debate.
Even so, I cannot help but cringe when a system includes SMS as part of its authentication process. They might as well not even bother. Because they rely on outdated infrastructure that was never designed with cybersecurity in mind, text messages are remarkably simple to hijack.
“Weaknesses in the cellular network [allow text messages to be intercepted in transit],” reads a piece on The Verge. “Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are several known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces.”
- What you should do instead: There are plenty of authenticator apps available online. Google and Microsoft both provide them, as do third-party services such as Authy or LastPass. And if your organization leverages internally-developed apps, you can easily work biometric authentication or device-based authentication into those platforms.
2. Forced Password Changes
- The problem: If your business uses passwords to control access to sensitive systems and applications, it’s only sensible to enforce regular password changes. After all, doing so protects you against brute force attacks, and helps ensure compromised passwords are rendered obsolete. There’s just one problem.
In practice, it doesn’t work that way. If there’s one issue, the average IT helpdesk deals with more than any other, it’s forgotten passwords. People already struggle to remember login data for streaming services, social media, dating apps, game accounts, and so on.
Forcing them to memorize another password, particularly one with a whole list of arbitrary requirements, is counterproductive. So much so that the National Institute of Standards and Technology recommends against it. When people are forced to create new passwords, one of two things happens frequently:
They forget their password almost immediately and have to contact the helpdesk repeatedly.
They use a password they’re already using elsewhere.
- What you should do instead: In the short-term, forget everything you think you know about passwords. The traditional idea of a ‘secure’ password is itself obsolete. Consider the following two passwords, for instance:
Traditional knowledge says the first is the more secure of the two. Yet when both passwords entered into Kaspersky’s Secure Password Checker, it’s the second one that’s stronger. More importantly, the second one is far simpler to memorize than the first.
In the long-term, it might be worthwhile to move away from password-based authentication entirely. The fact is, no password is 100 percent infallible. Moreover, even the most secure password can be stolen through a keylogger or a phishing attempt.
The good news is that there may be an alternative just over the horizon, thanks to solutions such as FIDO2, a set of specifications and best practices developed by a consortium of technology leaders.
3. Shunting Cybersecurity Entirely Onto The IT Department
- The problem: Traditionally, the IT department is the guardian of all things technological. They are the gatekeeper for applications and services, the authority on acceptable use, and the master of digital workflows. This is no longer the case.
Today, the end-user is more empowered than ever. Technology is a fundamental component of workflows throughout every organization. And data breaches and leaks can occur in more ways than we ever imagined.
“Gone are the days when companies could pass the headaches of cybersecurity to the IT department,” reads a piece on Forbes by Telstra Director of Security Solutions Neil Campbell. “It has become more of a business issue…businesses are more digitized, meaning they are exposed to an increasing number of threats if they do not manage the risk of security properly.
What you should do instead: Include everyone in the conversation about cybersecurity. And I mean everyone. And don’t just approach cybersecurity as a means of risk management and threat mitigation, either.
It should be treated as a facet of employee enablement. The question should not simply be how you protect your business against a particular cyber-threat. It should instead be how you can better-enable your employees whilst still maintaining data integrity, confidentiality, and an overall positive security posture.
To that end, the steps you should take include…
- Build security into your organizational culture. Every employee should understand that they have an important role to play in keeping your data safe.
- Balance convenience and security. An employee’s workflows should ideally never be interrupted or impeded in the interest of keeping your data safe – but neither should you put your data at risk for the sake of productivity.
- Educate. Train. Focus. Brainstorm mindfulness and security awareness programs for employees that will allow them to recognize phishing scams and other common social engineering attacks.
The technology present in today’s enterprise is so different from that of several years ago that it might as well be a completely different world. Your security practices must evolve to keep pace with that. Because at the end of the day, if they don’t?
You might as well give criminals the keys to your business.
For more cybersecurity tips, visit hostforweb.com.