Data breaches and cyber attacks continue to rise, yet companies of all sizes make the same mistakes when it comes to protecting themselves against incoming cyber threats.
Organizations often find themselves taking a reactive approach to cybersecurity, rather than implementing an overarching preventive strategy.
We’ve found that protecting companies against cyber attacks requires a multi-layered approach, from education to monitoring to getting the right tools in place.
Below, we’ll look at five of the most common mistakes that organizations need to avoid to keep data, customers, and employees safe online.
1. Lack of Cybersecurity Culture
Cyber attacks are a news cycle staple these days, but many people are in denial about their own susceptibility. A great way to make sure that your company data is protected is to create a culture where cybersecurity is an ongoing part of the conversation.
When employees and guests haven’t been trained on how to stay safe online, they’re unlikely to think about their habits beyond the basics—think clicking suspicious links or downloading files on company desktops.
It’s essential to approach this change as a top-down initiative. Leadership needs to treat cybersecurity like the business priority it is. That doesn’t necessarily mean that the non-technical leadership and employees need to learn all of the technical details associated with cybersecurity, but it does mean they need to know some best practices.
- Stay up-to-date on the latest threats: It’s better to take a proactive approach in adding new protections, rather than reacting after an attack takes place.
- Make communication a priority: Don’t send lengthy memos; instead, schedule short meetings—and keep the mood light. People will be more inclined to listen when the message is approachable.
- Schedule routine follow-ups: Meet quarterly to discuss new threats, refresh best practices.
Changing employee habits might sound overwhelming, especially on the enterprise scale. But, training sessions for everyone from the CEO to HR and beyond can help underscore the importance of taking cybersecurity seriously.
Even if you can’t mitigate every single risk, if employees walk away with a greater understanding of potential threats and how to spot them, that’s a significant step in the right direction.
2. Not Managing Devices or Networks Properly
Devices pose something of a security blind spot for companies. These days, everyone has a smartphone, plus an assortment of fitness trackers, laptops, tablets, and other IoT devices that connect to wireless networks.
A BYOD (bring your own device) policy is a cost-saving convenience for smaller companies who might not have the budget to keep up with the latest technologies.
However, larger organizations need to tread carefully with BYOD. Employees might not think twice about downloading a file on their device, whereas, they might be more careful about the sites they visit and the links they click on a company-owned device.
What type of data does your company generate and use? If your company deals with legal or medical records, you may need more protection than a company that makes marketing software. One of the biggest blind spots we run into is that companies don’t have a clear picture of what sensitive data they have. And, as a result, don’t know what they need to do to protect it.
It’s worth pointing out that unless you have some kind of lockdown policy in place, employees will bring their phones, computers and devices to work. That’s just the world we live in today.
As such, here are a few things you can do to ensure unsanctioned devices aren’t putting your system at risk.
Encrypt Sensitive Info
Encrypting data is a great way to protect your organization from incoming threats. Make sure you encrypt data both at rest and while in transit.
On top of encryption, you’ll want to also make sure that access is restricted and that users and devices are authenticated.
You may also want to consider incorporating an audit trail that keeps track of who has accessed the data at any given moment.
Finally, another thing to keep up with is deprecation. Many encryption standards in use today (SSL 3.0, TLS1.0, 1.1) are breakable.
Set Up Network Segregation
Whether this is done virtually or physically, it’s a good idea to separate unmanaged devices from the corporate network. Many attackers find their way into the company network by exploiting unprotected wireless devices.
Keep Track of Devices
Make sure you continually scan your system for any devices that connect to WiFi, be they wireless headphones or unknown laptops.
This is part of a process called Asset Lifecycle Management, which involves managing the cost, performance, and risks associated with an organization’s devices and network.
Eliminate Unsecured Networks
WiFi hotspots are attractive for a reason. There’s no need to enter authentication to get connected. For hackers, this convenience creates an easy opportunity to gain access to unsecured devices on the same network.
One of the biggest threats here is the ability for the hacker to run a man-in-the-middle attack, which allows the hacker to intercept information that the user thinks their sending elsewhere. In this set-up, the hacker can gain access to personal information from credit card details to email passwords and more.
While unsecured WiFi presents a threat to anyone using the network, the stakes are even higher for enterprise organizations with unsecured networks. If you have employees logging on with laptops. They might access your cloud storage system, payroll software, or another program containing sensitive information.
3. Only Protecting Part of the Network
Another mistake that we see is companies only relying on anti-virus protection or thinking that a single firewall is sufficient enough to protect against threats.
Think about this; if just one employee in a large organization clicks the wrong link or opens a convincing attachment, it could compromise your entire system.
Often companies will try to combat this issue by blocking incoming files with .exe extensions. This type of file is often the source of a phishing attack. While this might be an inconvenience for passing documents back and forth, exchanging information through Dropbox or another cloud storage solution is a decent workaround.
The problem with this solution is, it’s kind of like playing whack-a-mole by denying access as it attempts to break through. This means, IT teams must constantly be on high-alert, scanning for incoming malware.
A better solution is white listing, allowing certain file types and denying all others. This way, you grant permissions in advance, for specific trusted sources, making it a more effective way to keep threats from entering your company’s network.
There’s also the issue of software. Other companies believe that anti-virus software alone will protect your company from malicious files and data breaches. Some programs are better than others, but employees often forget to update their systems and organizations fail to patch as often as they should.
While patching is an issue we could talk about for days, the takeaway here is, organizations must implement a patch management strategy to prevent bad actors from taking advantage of software vulnerabilities.
Failing to patch puts organizations at risk of regulatory non-compliance or a data breach. One example of poor patch management is the Equifax breach. Hackers took advantage of a known vulnerability, despite the fact that a patch had been available for two months.
4. Confusion on Where the Data Lives
If your organization is like most companies, data is the backbone of everything you do. As such, you need to know where your sensitive information lives, how it is stored, and how it is exchanged, both internally and with outside sources like clients, customers, and vendors.
When you move data, you need to have detailed knowledge of where that data is traveling and who has access to it. Companies need to classify data based on sensitivity. For instance, you might break down different types of data as follows:
- Public: Data that isn’t sensitive. If this information got out, there would be little or no threat to the company.
- Confidential: Sensitive data that could put the company at risk. This type of data presents a moderate security risk but is generally accessible to all internal employees.
- Restricted: Restricted data is highly sensitive information that, if leaked, puts the organization at a significant risk.
If your policy states that any data containing personally identifying information is “confidential,” you can encrypt that information as it travels between employees or is shared with an outside source.
The best way for dealing with mishandled data is a combination of education and technical controls. Users need to understand the “why” behind the policy and the responsibilities linked to keeping that information safe.
For example, you might restrict payroll data to those employees who need that information to do their job. In this case, you would implement a written policy for how employee records and payment details are supposed to be handled, educate the HR team on best practices, then install a secure payroll processing application.
5. No Ongoing Monitoring System in Place
Network and device monitoring is more than a nice to have service; it’s prevention and protection. IT pros and organization leaders need to understand what’s going on in their system at all times.
Given that security breaches make the news on a regular basis, organizations must embrace real-time system monitoring, so that they are aware of any unauthorized or malicious changes to the system.
Monitoring alone won’t save you from every possible security violation, but it will help you detect potential breaches early, identify system weaknesses, and help teams find the source of any violations.
We know how important it is to protect your organization from the full spectrum of cyber-threats from human error to targeted attacks, vulnerabilities, and more. If you have questions about protecting your network against cyber threats, contact Lockstep today.