You don’t have to look far to find news of amajor data breachthese days. It seems as though cyber security is a term sitting front and center on many minds while damage from malicious attacks continues to accumulate.

“Cyber security is ever-changing and a bit scarier than most people think,” says Taher Hamid, IT professional and marketing manager withAlltek Services。“If a criminal gets access to your network they can lock up all of your data, but they can also steal sensitive data from your clients.”

Despite the potential for disastrous results, many organizations are still struggling to treat cyber security like a business-ending, bottom-line financial threat. And the companies who’d like to ante up find it hard tokeep up with the speed of cybercrime。As cyberattacks become more common, that failure has greater likelihood of becoming expensive. One thing is for sure: If businesses can’t afford a top-notch cyber security team, they definitely can’t afford to be in the dark about information security either.

“Common sense security practices will stop the vast majority of threats,” Hamid says. “Unfortunately, many organizations don’t even have the easy stuff in place.”

So what issues keep information security pros and business leaders up at night? To get a better picture of the threats in the cyber landscape, we asked professionals in cyber security to share some of the most common cyber security problems they see.

The top cyber security problems organizations are facing

Cyber security problems can range from things as granular as out-of-date software to large-scale struggles like a lack of support from leadership teams. The following is a sampling of the most common issues facing information security professionals and the organizations they serve.

1. Recognizing that you are a target

Small organizations don’t always realize that their assets and data are still attractive to cyber criminals. “In our modern economy, most companies have things that attackers want—information and money, says Matthew Eshleman, CTO ofCommunity IT。“Cyber threats face organizations of every size.”

A basic grasp of cyber security best practices would be a huge step in the right direction for many companies, says Kevin Raske, cyber security marketing specialist atVipre。“It means being constantly aware that you are a target. The majority of breaches occur because of human error.” Acknowledging that attackers might come after your company is step No. 1 to developing a defense.

2. Underfunded cyber security teams

“Between managing active threats, training staff and compliance requirements, it’s easy for cyber security teams to get overwhelmed as their companies scale,” says Andrew Douthwaite, CTO atVirtualArmour。“供不应求的市场高ly trained cyber security professionals doesn’t help in this regard.”

Many in-house cyber security teams spend most of their days putting out fires, leaving little time to proactively develop future strategies and provide guidance to team members, Douthwaite says. Without the time or resources to look ahead, cyber security professionals may struggle to take the measures that would truly benefit their security long-term.

“Ultimately it comes down to bandwidth and budget, but business leaders need a realistic plan to scale their cyber security capabilities as they grow.”

3. Missing security patches

“Out of the 100+ vulnerability assessments that I have run for various organizations, there are always security patches missing from their equipment—typically user workstations and laptops,” says Courtney Jackson, CEO and cyber security expert atParagon Cyber Solutions LLC。

“It may seem like a small issue but it isn’t,” Jackson says. “The security patches are published to address identified vulnerabilities. Delaying the installation of new security patches puts organizations’ assets at risk.”

4. Lax email security

“Without a doubt, ransomware is one of the largest threats facing organizations of all sizes,” Raske says. These days, anyone can buy ransomware ready-made and launch their own attacks.

Raske cites the2019 Verizon Data Breach Investigations Report findingsthat ransomware makes up 24 percent of the malware impacting companies—and over 90 percent of all malware is delivered into networks via email.

It seems pretty foolish for a company to ignore email security strategies, but Raske says it happens far more often than you might think. “The general email spam filtering that you see in basic email clients is not enough. Email filters develop to stop malicious messages, but cybercriminals have shifted to utilizing attachments to launch malware on devices and networks,” Raske says.

Given the sheer volume of emails traveling to, from and within an organization in a day, this is an issue area that has a high chance of causing harm. “A simple Microsoft Office macro could bring down the entire network. Over 40 percent of malware is actually delivered via attachment.”

5. Losing sight of the ‘backup plan’

“Most companies don’t see backups as part of their cyber security initiative,” says Marius Nel, CEO of360 Smart Networks。He explains that people often rely on systems or services to keep their data protected and forget to consistently back up their data as a fail-safe. “The system should be built in way that assumes all other services will eventually fail and backups will be required,” Nel says.

Take the巴尔的摩城市ransomwareattack that recently hit, Hamid says. “The city confirmed that not all of the mission critical data was backed up. Without paying the ransom or the ability to decrypt, the data is gone forever. Incremental offsite backup isso important, yet often overlooked.”

Hamid says ransomware is all over the market. “Businesses do their best to hide it from their customers and the community. But, coming from the team that cleans up the mess afterwards, I can tell you it is more prevalent than most people think.”

6. Bring Your Own Device (BYOD) threats

Bring your own device policies are popular in many companies, according to Douthwaite. BYOD lets employees use their own machines for work in office or remotely to make things easier. “But many business leaders don’t appreciate the unique threats that a BYOD environment can invite into their organizations,” Douthwaite says.

“A few common-sense steps can better protect business networks from threats related to BYOD.” Some of these measures could be role-based access, enabling two-factor authentication and enacting network access controls to ensure all devices remain continuously updated. Douthwaite says requiring strong employee passwords and having an exit process to clear ex-employee devices of company data should also be a must.

7. Lack of a corporate security program

“One surprisingly prevalent issue that companies face when it comes to security is their lack of a formal corporate security program,” Jackson says. “Every company, no matter the size, should have a corporate security policy outlining acceptable use, incident response, physical security and at least a dozen more areas.”

She says this proactive approach to cyber security is the missing ingredient with many businesses. “I wish the average business executive understood that not having an effective cyber security program in place within their business puts them at great risk of an attack or data breach.”

8. Treating cyber security like an IT issue instead of a financial issue

Many business leaders still treat cyber security like an IT issue, when these days, it’s really about the bottom line. “At its core, cyber security attacks are a financial issue,” Douthwaite says. “Data shows that the average cost of a data breach is about $4 million.”

Nel says they’ve learned that companies with strong cyber security treat it as a “way of life,” mixing it into every part of the business. “In essence, it is a business risk mitigation exercise that requires strategic thinking and ongoing tactical actions.”

This necessitates employee training. Nel says training end users in basic cyber security is the most effective and cheapest way to protect an organization.

9. Lack of representation on the board

Many companies haveveryrobust policies and procedures for their business processes, according to Braden Perry, cyber security attorney withKennyhertz Perry, LLC。“That is something sophisticated board members can understand. But IT is a different language for a businessperson, and unfortunately, most board members ignore or defer these issues.”

Perry says even a business IT department with an amazing, proactive plan for information security might never get the resources and backing they need since board members don’t understand cyber threats.

“It’s becoming more important, and almost imperative, that a board has an experienced IT or cyber security liaison to translate the IT language into business and vice versa,” Perry says, adding that when he is hired to investigate a problem, it’s usually an issue the business could have resolved on its own, if it had better communications between the IT department and senior leadership.

需要年代tay on top of cyber security

“Cyber security can no longer be ignored by organizations,” Raske says. “A ransomware attack alone could lead to business-threatening downtime, negative PR, lost customer data and lost revenue. There are over 6 million data records stolen every day.”

And unfortunately, very little can be solved long-term by a single program. Anyone engaging in cyber security needs the time to stay on top of industry changes. “Cyber security threats and sophistication change more than a new baby’s diaper,” Hamid says. “Without having someone who is constantly learning and adapting to these changes, you are inevitably falling behind and becoming increasingly susceptible to attack.”

Existing systems admins and DevOps professionals do not have the time to properly manage and run cyber security, Nel says. “It needs to be handled like finance or operations or any other part of the business with ongoing responsibilities.”

But as several of our experts have noted, great cyber security professionals are in short supply. While that’s an uneasy fact for those running businesses, it could also be a boon for those who’ve dedicated themselves to this field. If reading this list hooked your interest—you could be just the kind of candidate they’re looking for.

Learn more about the qualities you’ll need to succeed in the field in our article, “8 Signs You’re Wired for Working in a Cyber Security Career。”