8 IT Security Fails that Put Businesses and Their Data at Risk
LFL Veritas thanks Evan Berk of Certus Technologies for sharing his expertise for this blog post.
Most conversations about IT security focus on highly sophisticated, well-financed cybercriminals and the advanced techniques they use to access and steal data. For example, zero-day threats are capable of exploiting a vulnerability on the same day the vulnerability is discovered – and before the victim knows their network has been compromised.
However, the human error continues to be the weakest link in the IT security chain. Carelessness and laziness are as responsible for as many high-profile data breaches as any cutting-edge approach to hacking. If you’re a cybercriminal, wouldn’t you rather let an authorized network user open the door to a company’s sensitive data instead of trying to break down the door yourself?
Here are eight of the most common IT security fails, caused by humans, that lead to costly data breaches.
1) Failure to Use Strong Passwords
Here are the five most common passwords according to research covering 10 million passwords involved in data breaches:
And people wonder why they’re hacked. Another problem is the failure to change default passwords on new equipment or using the same password for every personal and business account. Passwords should be complex combinations of numbers, letters, and characters, and they should be changed at least quarterly. Consider using a password manager to simplify this process.
2) Failure to Back Up Data
This is just as much about recovering from a hurricane, flood or fire as it is recovering from a data breach. Companies that don’t back up their data to an offsite location, such as the cloud, might never recover their data should disaster strike. Many newer backup solutions are capable of backing up your data in real-time. But they only work if you use them.
3) Failure to Use Business-Grade Technology
Off-the-shelf hardware and free software don’t have the security features of business-grade technology. Consumer-grade security software wasn’t designed for a business environment. Because many of these tools don’t meet minimum regulatory compliance standards, simply using them can result in a costly compliance violation, even if no data breach occurs.
4) Failure to Update Software
“If it ain’t broke, don’t fix it” shouldn’t apply to technology. Old software, applications and operating systems that have reached their end of life or are being used without IT’s knowledge or approval may not be receiving critical security updates. Knowing this, hackers will often target outdated technology because it provides the path of least resistance.
For example, the Petya ransomware attack of 2017 targeted primarily computers running unpatched Windows 7 machines. Software on all computers, both servers and workstations, should be kept updated.
5) Failure to Spot Scams
Most people know that the distant uncle from across the ocean who wants to wire you $25 million is a scam artist. However, hackers have become master manipulators. They pose as executives, bank representatives, bill collectors, technical support and other seemingly legitimate individuals or entities, complete with company logos and professional design.
But it’s not just phishing emails. Scams are carried out through social media, pop-ups and fake websites. Employees should never download attachments or click links from unknown or suspicious senders, and all such messages and content should be reported.
6) Failure to Recognize the Dangers of Free, Public Wi-Fi
Mobility and the cloud have made it possible to work anywhere, anytime. That doesn’t mean you should. Hackers can eavesdrop on these networks, detect when someone signs on, and read data transmissions. Some hackers set up free hotspots for the sole purpose of stealing data, using a network name that seems legitimate.
Virtual private networks (VPNs) allow employees to securely connect to a network, and websites using HTTPS encrypt data transmissions between the website and the browser.
7) Failure to Create and Update IT Policies
Most of these IT security problems would be solved by these final two points. First, IT policies are typically outdated or nonexistent, which creates obvious risk. Every business should have IT policies that explain the acceptable use of technology, how to control access to the network, proper procedures for storing and sharing data, disaster recovery, incident response and other topics.
8) Failure to Train Employees on IT Security
Once policies have been developed and adopted, employees need to be trained. They need to understand the consequences of irresponsible behavior. They need to learn best practices for IT security. They need to know how to spot a scam. They need to know how to report a security incident. They need to know how to recover data during an outage. If vendors access your network, they need to adhere to your IT policies as well.
Certus Technologies recommends that all organizations have an IT security assessment to identify strengths and weaknesses. A multi-layered approach to security that combines backup, anti-malware, firewall, encryption, monitoring and other tools will maximize protection. If you don’t have adequate in-house security expertise, LFL Veritas recommends partnering with an IT firm that can help you develop, implement and maintain a robust IT security strategy.