IT operations teams typically aren't responsible for designing secure software (developers do that) or assessing the overall security posture of their organizations (a task handled by security experts).
But ITOps engineers are often on the front lines of security. It falls to them to deploy applications, monitor them for risks, and respond to security risks as they arise.
To do that job well, ITOps teams must be aware of common security mistakes that can undercut the effectiveness of security operations. This article details five such risks and explains what IT operations teams can do to avoid them:
Most ITOps teams recognize the importance of security monitoring. But a common security mistake is monitoring only certain stack layers.
For instance, a team might monitor applications and the network for anomalies that could reveal security risks or attacks. But if they don't also monitor host servers, application orchestrators, API requests, and data storage resources, they lack the holistic visibility required to identify all security risks.
The key to avoiding this mistake is to deploy comprehensive, full-stack security monitoring tools, then correlate all monitoring data to gain as much contextual visibility as possible into security risks.
SaaS applications are convenient because ITOps teams can use them without deploying or managing them.
That doesn't mean, however, that ITOps engineers can ignore SaaS application security risks. Even when a third-party vendor fully manages an application, problems like insecure integrations between the SaaS app and internal systems or the storage of sensitive data inside SaaS apps that weren't designed for that purpose can place your business at risk.
Vulnerabilities in third-party apps, such as security problems in SaaS email or calendar software, can also lead to major breaches inside your business if you aren't aware of them and fail to mitigate them before hackers reach your users.
That's why ensuring security monitoring and auditing extend to SaaS platforms and other third-party resources, not just the applications and infrastructure you deploy and manage directly, is essential.
Backing up data is one of the core steps toward protecting against ransomware.
However, data backups are not very useful if you don't plan to recover data quickly following a breach. It's a major cybersecurity mistake to assume you're safe from attack just because you have backups.
Avoid this risk by creating playbooks that define precisely how to recover data following a breach. It can also be helpful to inventory your data to know which data assets you have and which backups are associated with them. This information can spell the difference between a data recovery process that takes hours and one that requires weeks or months to get production systems fully back online — a delay that would be unacceptable by most business continuity standards.
For years, the lesson was drilled into ITOps teams that they should enforce strict password requirements for users. They were instructed to require passwords to be as complex as possible, and they should force users to update them early and often.
Most standard password guidelines hold. But in recent years, there has been recognition that overly strict password requirements are a security mistake. If you make it unreasonably hard for users to manage passwords, they'll start doing things like writing them on Post-it notes that they paste to their monitors, which is exactly the opposite of what you want them to do.
In fact, NIST revised its password guidance in 2020 to encourage user-friendly password policies. If your ITOps team hasn't re-evaluated its password requirements in years, now's a good time to do so.
Placing too much faith in multi-factor authentication (MFA) is another common security mistake that ITOps teams can make.
To be sure, requiring MFA is a best practice that can significantly reduce the risk of attack. However, the mistake that ITOps engineers may make is assuming that just because systems are protected with MFA, they're virtually immune to attack.
The reality is that sophisticated attackers routinely find ways to circumvent MFA. Teams should require MFA where it makes sense, but they should treat MFA as just one additional layer of defense, not an iron-clad guarantee against breaches.
From overlooking SaaS security risks, to putting too much stock in strict passwords and multi-factor authentication, to ignoring critical security monitoring requirements and beyond, there are a variety of security mistakes that well-meaning IT operations teams can make when managing IT estates. Fortunately, these risks are easy to avoid or mitigate with a proactive security strategy.
Follow us on LinkedIn
Kamal Rastogi is a serial IT entrepreneur with 25 yrs plus experience. Currently his focus area is Data Science business, ERP Consulting, IT Staffing and Experttal.com (Fastest growing US based platform to hire verified / Risk Compliant Expert IT resources from talent rich countries like India, Romania, Philippines etc...directly). His firms service clients like KPMG, Deloitte, EnY, Samsung, Wipro, NCR Corporation etc in India and USA.