How Organizations Can Uncover Cybersecurity Skeletons In Their Closet

By John Sullivan

Cybersecurity risks are so pervasive that every organization has a few skeletons in the closet. There is little remedy for the most severe examples—such as sweeping a data breach under the rug—since these stem from a culture of avoidance at the highest level.

There are, however, solutions for many other risks that stem from a lack of visibility and user awareness, two problems that can prevent organizations from realizing that they have skeletons in the closet.

Some common technology risks include unmanaged devices, unpatched vulnerabilities and misconfigurations that could be exploited in attacks. End-user risks, on the other hand, include poor password practices, social engineering attacks and insider threats.

In this article, I’ll share examples of these risks, their impact and best practices for fixing them.

Unmanaged, Misconfigured And Exposed Technology Risks

Unmanaged devices are those that connect to the enterprise network but are not managed by IT or security teams, making it difficult to monitor them. According to Cybersecurity Insiders, 22% of organizations confirmed that unmanaged devices with access to corporate resources had been infected with malware, yet 49% of organizations were unsure or unable to disclose whether the same could be said of them—evidence that they lack the visibility into these risks.

Misconfiguration errors are another overlooked source of risk. According to Gartner, as cited by Security Boulevard, misconfigurations will be responsible for 99% of firewall breaches through 2023. Misconfigured SSL certificates can expose an organization’s attack surface. Misconfigured admin accounts make it easier for attackers to escalate the privileges they need to compromise an organization. The rise of cloud computing exacerbates this risk and the challenge of gaining visibility into it, as Gartner has also predicted that 99% of cloud security failures will be the customer’s fault through 2025.

Vulnerable systems are another common cybersecurity skeleton in the closet. These may be legacy systems that no longer receive security updates or industrial systems that are more challenging to update, but most of the time, organizations are just slow to patch vulnerabilities. Research reveals that it takes an organization an average of 60 days to patch a vulnerability, but exploits begin to be exploited in less than a week after it has been publicly disclosed.

Poor Passwords, Social Engineering And Insider Threats

There are a variety of poor password policies that can introduce unnecessary risk, such as passwords that are too short or default passwords that are never changed.

Password reuse is harder to monitor. According to Microsoft, 73% of employees use the same password for their work account as their personal account. This sort of password reuse makes it easy for attackers to brute force their way into an organization by reusing passwords from public data breaches and leaks.

Similarly, social engineering encompasses a variety of attacks that seek to circumvent technical security controls by preying on the human nature of end users. Phishing attacks are one of the most common and effective types of social engineering attacks. According to the Verizon Data Breach Incident Report, 25% of all data breaches involve phishing. The rise of AI-enabled chatbots is enabling less sophisticated attackers to generate and automate even more convincing scams and spam.

Unlike the two threats above, insider threats span both unwitting and malicious insiders. For example, employees that engage in password reuse or fall for social engineering attacks are both examples of unwitting insiders. Malicious insiders include employees that take data (e.g., sales contact info) from their company when they leave for a new job as well as more severe forms of corporate espionage. Unfortunately, nearly two-thirds of employees admit to bringing data from a previous employer to their new job.

The Hero Your Organization Deserves

It can take a heroic effort to address such a broad swath of risks. One of my favorite heroes is Indiana Jones for his ability to combine an adventurous spirit of exploration with the academic pursuit of higher education. It turns out that cybersecurity programs could learn a lot about addressing skeletons in their closet from this courageous archeologist.

Just as an archeologist might piece together fragments of an artifact to reconstruct its form, a cybersecurity professional might piece together fragments of digital evidence to determine the nature of a cyberattack. In both cases, the goal is to gain a deeper understanding of the past, present and future and to use that understanding to make informed decisions.

Likewise, just as a professor provides ongoing feedback and assessments to help students improve their understanding and mastery of the subject matter, cybersecurity training includes regular assessments and evaluations to help employees identify areas where they need improvement and to measure the effectiveness of the training program.

On top of this, companies should ensure they are up-to-date and actively practicing cybersecurity best practices, which can help to reveal and resolve the skeletons in their closet. These include conducting risk assessments, keeping software up-to-date, encrypting sensitive data, monitoring for suspicious activity and using strong passwords and multifactor authentication.

By having the right mindset, training employees and implementing these best practices, you can uncover—and hopefully, get rid of—hidden skeletons and work to keep your organization safe from harm.