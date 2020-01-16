During the past two months, I have been approached by four different businesses to help and support them through security breaches that have occurred. In each case, there have been common themes: Each company had a CISO or a person that had ownership of information security

Each security breach went unidentified until clients reported suspicious activity

Password compromise was the root cause of each security breach

Each business had limited visibility of the risks of not using appropriate password controls My concern and frustration arise from the fact that each breach could have easily been prevented by doing the basics. My objective for this blog post is to identify each of the common mistakes, and outline controls and processes that could have been put in place to prevent each breach. Cybersecurity Ownership It is now becoming common for a business to have a person(s) responsible for cybersecurity. However, this does not mean a business is more secure because they have a person with a job title of CISO or data protection officer. In each of the recent cases I asked the business and person responsible for cybersecurity the following questions: What is your scope for cybersecurity? What are the key assets that you are protecting? What are the top 10 security risks in your business? How do you categorize risk? In every case, each business failed to answer any of the above questions and, more importantly, to understand how they might be targeted or why someone would want to target them. Moreover, they did not know what makes them vulnerable, and how a successful attack might impact them. So, my point is having a person responsible for cybersecurity does not imply the business is secure, or that the risks have been understood and the appropriate actions taken. Cybersecurity requires a team effort across all levels of a business. Having a person who has a title of CISO or data protection officer with limited support and buy-in across the business will have limited to no effect on reducing the cyber-risk across the business. On a final note, I am also noticing a trend of people moving into cybersecurity and data protection roles with limited knowledge of cybersecurity, and without the ability to clearly present and explain what risk is relative to the business.

“I would highly recommend that all businesses consider the risks of having weak password controls and the effects of password spraying”