Investing in too many cybersecurity tools could hurt defenses

Editor’s note: The following is a guest article from Samuel Bocetta, a former Department of Defense security analyst and technical writer focused on network security and open source applications.

Overinvesting in cybersecurity tools can hurt corporate defenses, a new study shows. 

Companies that use over 50 cybersecurity tools scored 8% lower in their ability to mitigate threats, and 7% lower in their defensive capabilities compared to other enterprises employing fewer toolsets, according IBM’s annual Cyber Resilient Organization Report released in June.  

Although it seems counterintuitive, the statistics make sense. While programs, software and tools are essential to any cybersecurity defense plan, these must work in tandem with employees who are adequately educated.

Employees who do not understand the basics of cybersecurity and struggle with complex and fragmented cybersecurity tools are a risk to any enterprise.

What emerges is the importance of educating employees about proper cybersecurity practices, developing and communicating a cybersecurity incident response plan (CSIRP), and having cybersecurity experts in your company. 

How to educate employees about cybersecurity

Although companies that invest in cybersecurity tools have increased by 18% in the past five years, many of these same companies are reporting they are 13% less effective at containing active threats. 

Companies must keep in mind that education is still the best tool in protecting from digital attacks. If employees have access to cybersecurity programs they don’t know how to use and are never trained in best practices for cybersecurity, the investment will remain pointless.

Keep in mind cybercriminals frequently look for the weakest link within organizations, and may actively target workers who they feel may be less informed about cybersecurity protocols and more likely to fall for their traps.

Ironically, sometimes the easiest actions have the most impact. It is vital to have a conversation with employees about the importance of password management. Many people use simple passwords over and over again to prevent the hassle of forgetting them, but this is actually a common way cybercriminals hack into accounts. 

It is difficult for even the best cybersecurity program to prevent a user with the correct password from accessing an account. Companies who are serious about protecting their assets, clients and employees will invest in a password manager and the necessary training in how to use it.

Password managers are an inexpensive way of ensuring workers have complex, strong passwords that never get forgotten and don’t need to be recorded somewhere that is at risk of being discovered. 

Developing company policies for cybersecurity and enforcing them is also crucial. 

One important company policy to consider is requiring all employees to update their software when prompted. It is easy for workers to ignore software updates because of the inconvenience of having to download them and restart their computers, but these updates are created due to the constant evolution of new cyberattacks.

Consider asking IT teams to conduct random audits to ensure everyone is following the policies.

The best cybersecurity tool is your people

Companies should consider investing in a cybersecurity analyst, or train existing IT staff so they can become proficient in cybersecurity. Although hiring a cybersecurity analyst with a degree and professional certifications is preferred, many self-taught white hat hackers have more relevant experience and skills than those with college degrees. 

If you don’t already have one, a goal for your IT team should be to develop a CSIRP. Successful CSIRPs should include a communication strategy with a clear chain of command and address the top security problems within your industry or company. 

Appropriate procedures and protocols should be planned prior to an attack, and each plan should be individualized depending on the type of incident. 

Take care to develop and monitor KPIs that are specific to cybersecurity incidents. Some KPIs that will gauge a company’s current effectiveness at security risk mitigation address how many security incidents are reported in a specific time frame, whether they are increasing or decreasing, and what is the average time it takes to address a security concern.

If your company has already fallen victim to a cyberattack, don’t despair. Security breaches are excellent learning opportunities.

You can take this time to take an in-depth look at what went wrong, how your company can handle this situation better in the future, and document and communicate new CSIRPs based on your experience.

Coronavirus, remote work and the survival of the fittest

The onslaught of the coronavirus has revealed which companies are fit and which are fragile in terms of digital protection.

Quickly quitting offices in favor of work-from-home arrangements has been a shock for enterprises that are not digitally savvy. Those companies are not likely to survive in the long term.

This is not only because of the delay in the ability to work caused by the recent stay-at-home advisories but because of the increasingly competitive landscape that will demand adaptability.

Healthcare has been the hardest hit of all industries. This is due to clever cybercriminals taking advantage of an already-hectic situation in the industry, and the treasure trove of personal data healthcare companies frequently have access to.

Many businesses have allowed their employees to work from home without ever giving them access to the proper resources. Employees are working remotely from their personal laptops, connected to public Wi-Fi connections, and sharing their computers with family members and friends who may download or click on risky files unbeknownst to anyone else. 

It is important to teach your employees to be mindful of any unexpected work-related links, files or invitations to video conferences: Cybercriminals frequently send these disguised-as-work-related emails from a colleague.

Remind employees to double-check email addresses before opening a link or file. If a suspicious video conference request arrives from an unknown email address, encourage workers to call their supervisor to confirm that this is a legitimate virtual event. 

Most importantly, companies with remote workers must demand the use of a VPN. The most effective VPN applications today use a form of encryption called AES, which masks a user’s IP address, so their online actions are untraceable.

This is great for those working from home on their own internet connections but absolutely essential for those who work in cafes or in other public Wi-Fi spots. 

Be sure to request that employees use a VPN on their smartphones as well, so there is no danger to your company’s data as they scroll through emails while out and about. A company that does not require and enforce the use of a VPN, one of the easiest and cheapest cybersecurity tools out there, is asking for a cyberattack.

Once again, education is key to ensure employees know how to properly use a VPN. 

Don’t throw money at the problem

It is important for companies to invest in a wide array of cybersecurity tools and programs. However, this will never replace the importance of educating and empowering all employees regarding the use of these programs, and training them in basic cybersecurity practices. 

Companies who want to compete in the future must ensure that they are adaptable to new technological developments.

The coronavirus pandemic has revealed which companies have cybersecurity protocols and safe remote work policies, and which ones are scrambling to get their act together. The key to this is not only having the right tools but educating employees and having solid CSIRPs in place to quickly respond to a security incident when it arises. 

Don’t be fooled into thinking cybersecurity is a complicated matter that can only be handled by professionals and expensive tools. The best cybersecurity practices start with employees and are easy to implement with the right levels of communication and enforcement.