Following recent high-profile breaches and vulnerabilities like Heartbleed, organizations around the world are becoming increasingly aware and interested in their cyber defense strategies. However, risky behavior is still rampant. In the first of a Threat Geek series on real-world examples of risky behavior, Ryan Vela describes the riskiest behavior he has seen: ignoring security vulnerabilities and threats and discusses ways organizations can overcome these behaviors.
When a company ignores security vulnerabilities, it is usually a result of an organizational culture where, for whatever reason, potential problems are not reported properly. I have seen this culture in effect during - and prior to - every breach case I’ve worked in the past decade. I have found the following scenarios all too common in many organizations. Caveat: I am not talking about situations where security personnel are not aware of vulnerabilities or threats. This is an entirely different situation and arguably equally as risky.
Risk: Security personnel do not report vulnerabilities or threats because they want to show that everything is under control and addressed during normal patch schedules.
Solution: Never, ever assume that you have every vulnerability and threat under control. Never, ever assume that your patch schedule will adequately address threats.
Solution: Funding may not be in your control, but reporting is. If you don’t report it, then you are 100% assured you will never get funding. So cover yourself for when a breach happens and report anyway.
Risk: IT personnel do not report vulnerabilities or threats because it is not their job. Their job is to keep the network up and running.
Solution: Security is everybody’s job and should be included in every performance review. All IT personnel should pay attention to and report vulnerabilities and threats.
All of these risky behaviors boil down to an organization’s culture which must be changed from the top-down. Security personnel can try their hardest to change the culture by chipping away at the bad habits grown over the years but ultimately, changing the culture to ensure security is the job of organization leaders.