Where is Your Business Most Vulnerable?

When it comes to cybersecurity, there is no such thing as being completely secure. But there are a few areas that are more slippery than others. 

Breaches, more often than not, aren’t the result of highly-sophisticated attacks, but rather of enterprises having too much software, a lack of network visibility, and human error, experts told CIO Upside. 

“There is no 100% security because software is fundamentally flawed,” said Mieng Lim, VP of product management at cybersecurity firm Fortra. “You will find security vulnerabilities in any piece of software that you deploy, and the malicious actors are just that much more diligent at finding them.” 

Missing software packages and software that hasn’t been updated are some of the most common and easily-missed vulnerabilities that enterprises face, said James Cassata, cloud security architect at Myriad360.

• Open source or “off-the-shelf” software like Adobe, Mozilla Firefox or Google Chrome are so commonly used that malicious actors “see that as a highly priced target,” said Cassata. The question enterprises need to ask their workforces is whether or not they need all of the software they download, he said. 
• If not, enterprises may want to consider a “self-serve model,” allowing individuals that use certain software to get it from company portals “versus pushing it out to everybody,” Cassata said. “If your employees or users don’t need all of this software, stop deploying it.” 

Another major issue occurs when enterprises pick and choose what deserves coverage. Many companies don’t have full visibility of operations across their entire network, said Lim, or choose to protect only areas that are deemed business-critical, leaving other areas vulnerable. The widespread availability of cloud computing has only expanded the potential areas of attack, she added.

“Typically, it’s a resourcing issue,” said Lim. “They’re focused on protecting intellectual property, confidential data, etc. The problem with that is that many times devices have connectivity to each other, and if the proper access controls aren’t set up … a malicious actor could easily get access to those areas.” 

The biggest attack vector, however, may be employees themselves, said Lim. According to data from security firm NordLayer, 68% of data breaches in 2024 involved human error. Because it’s difficult to govern human curiosity and anyone can fall victim, phishing attacks often still plague enterprises, she said. “There is an element of social engineering every time. It’s why scams have been so successful and continue to be successful.” 

While companies can train their workforces to be more suspicious and have better “cyber hygiene,” many don’t take the time to consider security, opting instead to deploy shiny, new cybersecurity technology without a clear understanding of the fundamentals, said Lim. 

“Those fundamentals are security awareness training, keeping security top of mind for those employees and staff members,” said Lim. “Give everything a second look, before taking action – it’s changing that behavior that is so hard. Otherwise there wouldn’t be scams happening all the time.”