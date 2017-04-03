Success in today’s fast-moving business world hinges on innovation — and data is its lifeblood. But data-driven innovation faces escalating risks from attacks types that are constantly evolving to uncover new vulnerabilities and ultimately, steal valuable data.

Staying ahead of cybercriminals requires continually adapting and growing security controls and practices. Many businesses, though, aren’t heeding cybersecurity’s growing warning signs. In its latest Cybersecurity Insights report, AT&T notes that 50% of organizations have not updated their security strategy in more than three years.

We asked security experts and practitioners for their thoughts on the biggest challenges to protecting enterprise data in the face of ever-evolving cyberattack capabilities, and three themes surfaced.

Employees: Often the weakest link

All too often, cybercriminals can sidestep an organization’s security barriers through cleverly designed social engineering schemes. And these employee-targeted attacks are only growing in their effectiveness and intensity. In its report, AT&T states that its network detects and blocks more than 400 million spam messages daily. “The greatest challenge to enterprise security is the threat posed by social engineering attacks aimed at the enterprise's employees,” says Steve Gibson (@sggrc), president and CEO of Gibson Research Corp. “One mistake made by a well-meaning employee lured into clicking on a malicious link is all that's required to collapse an organization's otherwise bulletproof security.”

Robert Siciliano (@RobertSiciliano), CEO of IDTheftSecurity.com, agrees. “Without question the biggest challenge companies are facing is human hacking,” he says. “An organization can have the most robust technology to protect their infrastructure, but a Trojan horse in the form of a phishing email or a phone call could compromise any and all systems.”

Given that employees are often the weakest link, awareness training must be a cornerstone of cybersecurity preparedness. “Security awareness training in the form of phishing simulation is one of the best ways to tighten up and prevent breaches,” says Siciliano. But, he cautions, this approach is flawed and shouldn’t be seen as a solution for all security issues within the enterprise.