What enterprises should do when helpless employees lose hope in fighting cyber attacks

What is the victim mentality and how can enterprises avoid it?

1 2 Page 2
Page 2 of 2

To support an empowered and resilient team, test and prove the theory that when basic security measures are consistently applied, these can make it harder for the relatively rare attacks of APTs, Zero-Day Exploits, and Nation States to succeed. “Organizations need to stop worrying about APTs and Zero-Day exploits,” says Cowperthwaite, “and start patching vulnerabilities that they’ve known about for years.”

While enterprises can locate available patches with the help of the given software vendor, they may also want to use a patch management software package to ease the process of patching their many systems. There are many patch management products available; a few of them include Desktop Central from Manage Engine, Lumension’s Patch & Remediation, and LabTech’s product of the same name.

In addition to patching software vulnerabilities, basic security measures include hardening systems so that no ports or services are open or functional that are not necessary for the system to do its job. Most popular OS software vendors such as Microsoft, RedHat, and Apple and security organizations such as the NSA, SANS Institute, and NIST publish detailed software hardening instructions that are freely available. In addition, there are enterprise policy managers and auditing software packages that automate software hardening across systems and platforms.

Keeping firewalls up to date is another element of basic security. The enterprise should stay in contact with the vendors that support its hardware, software, network, NGFW, WAF, or any firewalls to receive and apply necessary updates and upgrades as they become available. Where there is a new security update, even for a firewall, there is an old vulnerability it must close and an attacker who knows how to leverage it if the enterprise does nothing.

Lead where you intend to

Avoiding the victim mentality starts and ends with leadership. Enterprises that don’t appoint some sort of security czar at the C-level who is directly accountable to the CEO and the board may be inviting victimization by cyber hoodlums.

There’s a saying that “you can’t lead where you won’t go”. The opposite is also true: you will lead where you do go, and people will follow. If the example is that security is not important, that the enterprise is ill-equipped to deal with information compromise, and that attackers will routinely prevail, employees will follow that lead, likely with a bad case of learned helplessness.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies