With the WannaCry ransomware and Petya malware attack recently causing damage to organisations worldwide, even halting chocolate production at Cadbury's Hobart factory, security firm Bitdefener has urged organisations to assist IT teams in preparing for, and mitigating against, future attacks.
According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, organisations need to have mitigation in mind as it's a matter of when an attack happens, not if.
Speaking with ZDNet while visiting Sydney from Romania, Botezatu said organisations first need to understand what type of security they need and not overlook any aspect, while also trying to see through the noise, such as marketing buzzwords and an over-saturated cybersecurity industry.
"An enterprise has a diverse range of technologies ... all these are potential threats," he explained. "It's no use for you to have the best end-point security solution if your payment processor in the cloud is left open."
Botezatu said a standard IT team finds itself constantly under fire, and it's important that the responsibility doesn't just lie with them.
"They have external attacks, they have users inside who need technical support -- the IT team needs to always be on the lookout to help non-tech savvy departments ensure they don't shoot themselves in the foot by opening [an executable] promising kittens," he explained.
"They don't have time to monitor 60 security solutions ... because everything is on fire around them and their time needs to go to good use."
With organisations, particularly in Australia, relying heavily on cloud-centric applications, it results in most of an organisation lying outside of the physical boundaries of the HQ. As a result, Botezatu said many organisations are running security solutions built for on-premises protection, noting the solutions don't translate well into the virtualised world.
Despite claims that some organisations have employed services from over 80 security vendors, Botezatu said the majority of attacks start with some form of social engineering targeting an organisation's employees.
To Botezatu, education is an organisation's greatest defence mechanism.
"You need to encourage the user to adopt security best practices and to stay aware about what they're allowed to do with company property," he explained, noting it's better to speak with them in order to prevent, rather than to punish.
"This is probably the most basic security measure ... make them understand what you're trying to achieve."
Botezatu said that while educating the people within an organisation is free, in many organisations, the sentiment is falling on deaf ears.
"That's one of the issues with the industry, that most of the IT workforce is mobilised to plugging phones into the infrastructure rather than getting some coffee time with people to understand what they are trying to protect the organisation against," he said.
"Very few people would hazard to do stupid stuff on company resources if they knew they were harming the company, with the exception of disgruntled employees.
"People will lend you a helping hand to protect your organisation if you told them your organisation needs protecting, but usually, the IT guy comes among the masses saying, 'hey guys, you know nothing about security, you need to do that, that, and that -- otherwise I'm suspending you'."
He said as an employee, individuals need to be a part of the cybersecurity effort, not trying to outsmart the IT guy who has disallowed access to Facebook.
"I'm still waiting for when the CIO will have a solid place at the board table," he added. "It's not happening and the finance department is pulling all the strings."
Although estimations suggest an organisation should be spending 20 percent of its yearly revenue on cybersecurity-related initiatives or products, Botezatu said it's rarely the case.
It's a trend experienced globally, he added, especially in the public sector where the lowest bid always wins.