IT Outage Calculator
Request Proposal
In Part 1 of our “Paper CISO – Buyer Beware” series, we explored the risks of relying on advisors who lack real-world familiarity with how modern networks are designed, built and defended. Just to be clear, our goal wasn’t to discredit the entire virtual CISO model. There are many capable professionals in that space – former operators who pair deep technical knowledge with broad strategic insight. In our experience, however, those individuals are the exception, not the rule. We’ve seen this pattern repeatedly in the results of vulnerability assessments we perform for businesses across the country.
Part 2 was scheduled for release in December, but we had to push it back after our entire team was pulled into another security incident. This time, it involved a manufacturing company referred to us following a ransomware attack. The attacker demanded $2 million to decrypt the company’s files. There were several strange things about that case, and we may share a full write-up on it down the line.
Now, back to the main topic. At Netwolf Cyber, we conduct in-depth vulnerability assessments for organizations of all sizes. For some clients, this serves as the foundation of an ongoing managed IT and cybersecurity partnership. For others, it’s a one-time “health check” on their internal team or outside MSP/MSSP. Either way, it’s fairly common to find that the organization already has a CISO, either internal or virtual, and that’s often where the story starts to get interesting.
After reviewing a stack of the recent reports, here are the top three recurring security gaps we have observed:
1. Partial or No Multi-Factor Authentication (MFA)
You’re probably wondering how this is possible since every application seems to require a SMS text code or authenticator app these days. As it turns out, people don’t want to be inconvenienced by extra steps, especially the C-suite crowd! There’s this unspoken “rules for thee but not for me” mentality when it comes to adoption of inherently inconvenient safeguards. Email address and password combinations (“credentials”) leak on the Dark Web constantly, and without MFA, you’re handing the hackers your keys. It’s just like riding in a car; put your seatbelt on! These are the basics and should be one of the first items to verify and enforce on any good vCISO’s list.
2. Unpatched Workstations and Servers
We regularly find machines – workstations and servers – that haven’t seen a security patch or OS update in years. vCISO discussions with the executive team or board members tend to gravitate to risk scoring, quantification and bigger-picture strategy. Patching? It’s often assumed that everything is up to date, but studies show that over 80% of leaders later discover patches they thought were deployed never actually reached all endpoints.
3. Misconfigured Backup Systems
Backups are an essential part of any modern IT environment, but there is only one thing worse than not having them at all: thinking you have them when you really don’t. We see this way too often – systems that appear to back up data daily, yet the configurations are broken. Either there is a healthy connection in place but no data is being transferred or no live connection at all. To a vCISO, simply hearing that company backups are in place and a Business Continuity and Disaster Recovery (BCDR) plan has been written is enough. The idea is to go beyond ticking boxes on a checklist and actually test backups periodically. And with the prevalence of ransomware attacks, your company will want to have immutable backups – the type that cannot be altered by anyone at all.
While these three issues tend to be the most common, the list of findings is extensive. To mention a few in brief, we have seen outdated firmware on firewalls, missing antivirus software or general misconfigurations that have left endpoints unprotected, legacy protocols running that are still being exploited by the threat actors, and completely flat networks which, without proper segmentation, can allow hackers to move laterally once inside a company’s systems.
Bottom line: handing over your company’s security posture to a virtual CISO without any real oversight or independent checks is a recipe for trouble. If you’re relying on someone to keep you safe, make sure they’re actually doing the work (or at least know how) – and not just throwing around buzz words and talking points.
