An IT security gap is a vulnerability that malicious actors can exploit in a company’s cyber security defences. Gaps in IT security represent the difference between a company’s current cyber security posture and their desired (or, in many cases, to achieve compliance, required) implementation of security policies and controls.
Let’s look at some of the most common IT security gaps companies must address to better protect their data and assets and the importance of performing an IT security gap analysis.
What is an information security gap analysis?
An information security gap analysis, or IT security gaps analysis, is the process of identifying vulnerabilities in your company’s cyber security defences and developing strategies for rectifying them. The purpose of information security gap analysis is to compare the policies and controls you currently have in place against what you should have in place. If you’re using a framework, like NIST 800-53 or GDPR, as a guide for implementing your cyber security measures, an IT security gap analysis will reveal what you’re missing to match their requirements.
An information security gap analysis typically involves the following steps:
- Determine your required cyber security posture: identify the ideal set of cyber security policies and controls you need to have in place based on your company’s attack surface. This could be based on requirements devised by your IT and security teams or on a cyber security framework with which you aim to comply.
- Analyse your current processes, policies and controls: conduct a detailed analysis of your current cyber security measures. Gather as much data as possible on your current cyber security processes, policies and controls and their efficacy.
- Compare your current cyber security posture to your ideal posture: evaluate how your current information security measures compare to your required defences and determine the action you need to take to close the gap.
- Develop an implementation strategy: create a detailed strategy for addressing the IT security gaps you’ve identified during the analysis.
Upon completing the information security gap analysis, you can prioritise the IT security gaps you’ve discovered and begin implementing the required controls to address them.
8 gaps in cyber security that a company must address
Let’s turn our attention to eight of the most common IT security gaps businesses must tackle.
Not being prepared
The first and most glaring IT security gap a company can have is not being prepared for the large and growing array of cyber attacks it’s exposed to. If you’re not prepared for a cyber threat, you can’t hope to mitigate it – so, in reality, not being prepared opens the door for every other IT security gap. Your company’s entire cyber security risk mitigation strategy relies on being prepared. It’s crucial to know the size of your attack surface, where you’re most vulnerable, the full range of cyber threats your company faces, and the risk that each threat poses.
Not actively looking for cyber threats
While not being prepared for cyber attacks is a security flaw, not actively looking for breaches is also a significant IT security gap. Consistently looking out for cyber threats means adopting the mindset that security breaches are not only inevitable but that one has already taken place. Subsequently, you need to determine how the malicious actor breached your defences, which of your assets they have access to, and the extent of the damage they’ve potentially caused – before they have a chance to move laterally across your network.
Actively looking for cyber threats gives your security teams a chance to identify breaches quickly and, at the very least, minimise the malicious activity carried out by cybercriminals. To persistently look for security breaches, security teams need to use vulnerability scanners, intrusion prevention systems (IPS), and other continuous monitoring tools to constantly assess the security posture of their network.
Cybercriminals are fond of exploiting vulnerabilities in software and firmware to infiltrate a company’s network, so consistently applying patches and updates that vendors provide is a fundamental aspect of information security management. The most efficient way to address the IT security gaps caused by unpatched software is to create a patch management process. This involves:
- Becoming familiar with your software developers’ and hardware manufacturers’ typical update release schedule.
- Creating a series of policies and processes for discovering and installing patches.
- Documenting every patch and fix you install, as well as any consequences of installing the update.
- Making use of automatic software updaters whenever possible.
Internet of things (IoT)
With cyber security experts predicting that over 30 billion IoT devices will be in operation by 2025, the internet of things is one of the most increasingly common IT security gaps. IoT devices increase the number of remote devices on a company’s network, increasing the size and complexity of its attack surface. However, IoT devices often present more of an exploitable vulnerability than other endpoints for several reasons:
- Manufacturers often prioritise releasing IoT devices quickly (and before their competitors) over ensuring they’re secure.
- Some devices lack the computing capability to feature firewalls or antivirus software.
- The firmware in IoT devices often uses open-source software with known vulnerabilities.
- IoT devices aren’t patched as frequently – some manufacturers don’t release updates at all.
- Even if a patch is available, some IoT devices are difficult to access in order to install the update.
- Billions of IoT devices mean trillions of sensors that generate massive amounts of data. This can make monitoring, and, subsequently, securing IoT devices difficult.
- Companies neglect to change the weak, default passwords that come with IoT devices, making them easy to hack.
Choosing the devices you add to your network carefully is crucial to address the security gap caused by IoT devices. Opt for devices reputed to be secure and for which their manufacturers frequently release updates. Subsequently, make sure IoT devices are included in your patch management process.
The risk of a security breach caused by an employee is another common category of IT security gaps that companies must deal with. On one hand, an employee could have malicious intent, such as an aggrieved employee stealing or deleting data before leaving the company. Similarly, an employee may have found a new job and been tasked with exfiltrating sensitive data by their new employer.
Alternatively, a data breach could be accidental and caused by negligence rather than malice. The best example is an employee falling victim to a phishing attack and being tricked into revealing login details that a cybercriminal then uses to infiltrate a company’s network.
Security teams must mitigate employee risk with proper access control, ensuring that individuals with the appropriate permissions can only access data. Security measures like multi-factor authentication (MFA) can help prevent cybercriminals’ unauthorised access. If a company implements MFA, a malicious actor won’t have the other means of authentication to access its network – even if they successfully steal an employee’s credentials in a phishing scam.
Devices are common targets for cybercriminals because they offer several ways to infiltrate a company’s network. However, devices represent a growing IT security gap for several reasons, namely:
- The unprecedented explosion in remote and hybrid working conditions;
- Mass migration to cloud environments;
- The explosion in the use of mobile devices.
These factors have resulted in increasing numbers of devices falling outside a company’s traditional network perimeters. As a result, security teams must be more creative and diligent about securing the devices on their network. This includes:
- Strengthening email security to prevent phishing and other social engineering attacks;
- Implementing robust access control management;
- Developing a patch management process to ensure vulnerabilities in applications are consistently addressed;
- Preventing users from installing unauthorised software: IT can’t monitor applications they’re unaware of, so they also can’t mitigate any cyber threats caused by the software.
- Preventing users from installing unauthorised hardware, a.k.a “bring your own device” (BYOD).
Not making changes after a security breach
A security breach is a major wake-up call, so failing to make changes after malicious actors infiltrate your company’s network is one of the most costly mistakes you can make. Firstly, just as cyber security experts share information, cybercriminals do too! Consequently, if you don’t completely contain the breach and improve your cyber security measures accordingly, there’s a good chance you’ll be targeted by other malicious actors who’ve become aware of your company’s security vulnerabilities.
Just as importantly, suffering a security breach highlights that your cyber security defences are insufficient and need re-evaluation. Plus, chances are, in addressing the problem that caused the breach, you’ll discover other flaws and areas where you need to implement or improve your security policies and controls. So, by not heeding the strong warning given by a security breach, you’re purposely leaving gaps in your cyber security.
Not staying up to date with new cyber threats
As mentioned above, being unprepared for cyber attacks is a major IT security flaw, and a fundamental aspect of being prepared is staying up-to-date with emerging cyber threats. Unfortunately, cybercriminals never rest on their laurels and are always developing new methods of breaching companies’ IT security measures and profiting from their malicious activity. Consequently, not consistently looking to improve your cyber security posture means you’re falling behind – and your policies and controls are already practically obsolete.
In light of this, it’s vital to develop a process for constantly gathering the latest cyber threat intelligence. This can include:
- Keeping up to date with cyber security news – especially related to your industry
- Reading blogs on the latest cyber security measures
- Following vulnerability threads and forums
- Attending cyber security events – whether in person or through live feeds and webinars
- Consulting white hat hackers and cyber security freelancers
You could even “gamify” the process of collecting threat intelligence to inspire your security teams. This could involve a part of your weekly team meeting where every team member shares the most interesting cyber security news they’ve discovered in the past week. Better still, the person with the most valuable insight can be awarded a voucher or something similar to incentivise the team to look for the most salient cyber security news.
RiskXchange can help you manage any and all security gaps
We can help you pinpoint all your company’s IT security gaps and advise on the most effective ways to address them and strengthen your cyber security measures. Contact us for your free, comprehensive attack surface assessment.