Enterprises spend countless amounts of time and money on sophisticated cyber security techniques. But sometimes the biggest security mistakes they make are hiding in plain sight. If you’re looking to keep your company as safe as possible from cyber attacks, here are five common security mistakes to avoid.
Mistake No. 1: Playing Fast and Loose with Admin Accounts
Your enterprise likely has plenty of admin accounts, giving some employees unfettered control over vital hardware and services. And that spells danger, says Rob Clyde, managing partner at Clyde Consulting and the chair of the board of directors for the non-profit ISACA information security organization.
Clyde calls admin accounts “the soft underbelly of every organization.” He explains, “Admins have full privileges and often have access to the keys to the kingdom in the virtual and cloud environments. That means a hacker who gains access to an admin account can literally take down an entire enterprise. And yet attacks targeted at admins are commonly overlooked.”
He recommends that organizations dial back on their number of admin accounts and make sure only those who need them, get them. He also suggests adding granular security, so that each account only gets access to the resources they truly need to do their work.
Finally, according to Clyde, enterprise should consider requiring secondary approval for some tasks, such as deleting all virtual machines or containers. That way, even if hackers gain access to an admin account, they won’t be able to do as much damage, because other admins in the organization have to sign off on high-risk actions.
Mistake No. 2: Forgoing a Comprehensive Risk Management Framework
Companies often build a set of security systems and procedures, but don’t take into account how cyber risks affect the entire organization. So cyber security is seen as purely a technical issue that requires attention from only the IT department, rather than the entire enterprise. The result? Enterprises are less secure because not every group and individual may be aware of cyber dangers and be on guard against them. So says Chris Dimitriadis, the past chairman of the ISACA Board of Directors.
Dimitriadis says a comprehensive risk management framework needs to clearly outline how cyber risks translate into business risks, and how they can affect the company. The stakes are high as organizations may risk millions of dollars in reputational costs and lost customer trust. That way, the entire company, from the board of directors on down, will be aware of risks and be more likely to avoid them.
Mistake No. 3: Not Patching
You’ve probably heard this one more times than you heard as a kid being reminded to eat your spinach - No matter: Make sure to keep your systems patched and up to date. Clyde and Dimitriadis both underscore the importance of what ought to be a routine part of a company’s preventive security routine. Yet too many organizations still forget to incorporate this as standard practice. There are countless examples of unpatched vulnerabilities leading to successful cyber attacks, with damages literally adding up to hundreds of millions of dollars.
“The bad guys know what all the vulnerabilities are —its public information,” Clyde says. “The exploits are out there for all to see and use on the Internet. So you’ve got to be vigilant in keeping systems up to date.”
Mistake No. 4: Ignoring IoT Device Security
It’s easy for companies to forget that their IoT devices, such as sensors and surveillance cameras, are a very large and very tempting target for hackers and can be easily exploited. Clyde says companies need to treat them with the same kinds of security as they do servers and other IT-related systems. That means not just making sure they’re protected by things like firewalls, but also keeping them patched and changing their default passwords.
Even that might not be enough, he says. IoT manufacturers are notorious for ignoring security, and some devices are inherently insecure — they might have default passwords that can’t be changed, or the devices can’t be automatically updated. So companies should check every IoT device they own, and if they can’t be kept secure, “Throw the device away and replace it,” Clyde says. In addition, companies should make sure any new IoT device they buy can be adequately protected.
Mistake No. 5: Skimping on Training
The best protection against hackers and data breaches is a workforce educated in cyber security dangers. But while this is the organization’s first line of defense, the vast majority of companies haven’t instilled a solid cyber security culture. Clyde points to a 2018 study by ISACA in which 95 percent of security professionals surveyed said there’s a gap between the security culture their company wants — and the security culture they have.
The best way to instill a culture of cyber security awareness is through training. And training doesn’t mean one-and-done seminars that employees reluctantly attend, and then immediately forget about. It means active, ongoing work.
“Anti-phishing training is particularly important because of how frequently it’s the way companies are breached,” according to Clyde. “For training to be successful, you’ll need to send non-harmful, phishing emails to employees and then measure how they responded. How many actually fell for the bait and clicked? And then do more training, until people respond properly.”