Common cyber security mistakes made by enterprises and how to avoid them

By: Matthew Hammerstone

13, May, 2019

Categories:

Cloud Computing - cyber security - security -

  •  
  •  
  •  
  •  
  •  
  •  
  •  

 

 

Just a few years back, we would have never even thought of cyber as a risk factor for business but the overwhelming growth of technology and rapidly spreading digitalisation wave has given a major opening to data and cyber security risks that surround us constantly.

Cyber risks are among the leading risks faced by the companies in the modern digital era. A minor slip up can cause a user with malicious intent to breach through your system/network and steal/corrupt your data, this can cause substantial damage to the companies and/or individuals.

Compromised data can lead to identity theft and abuse, financial loot and other damages. If the breach happens at a company, the magnitude of the effects could be multiplied several times. Apart from financial and data losses, the company is likely to lose its image and reputation among its customers, partners and shareholders that could even prove fatal for the business.

 

Changes in the environment

Entry of technologies like Artificial Intelligence (AI), Big Data, Blockchain, Internet of Things (IoT) and Cloud platform among others have proved to be a boon for the business operations; however, the same technologies can also serve as a gateway, welcoming hackers into our network that consists of systems hosting business critical processes and data. The world has come to see several types of attacks including email phishing, whaling, cryptojacking as well as DDoS and ransomware attacks.

 

In 2017, over 200,000 computers in 150 countries were affected by the WannaCry ransomware attack that was estimated to have caused $4 billion in damages. It crippled the operations of several companies. SamSam, TeslaCrypt and CryptoLocker have been other popular ransomware attacks, with the current environment showing no signs of slowdown in the number of ransomware attacks. Ransomware attacks are estimated to cost $11.5 billion to the organisations in 2019 alone. [1]

 

As much as one would want to stay away from such cyber-attacks, somewhere something can go wrong and compromise a company’s cybersecurity system, facilitating data breach.

 

Let us have a look at some of the common mistakes that can cost companies a cybersecurity breach and measures to avoid them:

 

Weak passwords

 

Main purpose of a password is to give user the privilege to set a unique code that offers him/her the sole power and privacy to access the file. Weak passwords that can be cracked easily are a big ‘NO’ for companies looking to safeguard their data and operations from unethical, unauthorised access and data compromise. Loosely sharing passwords and other access credentials also exposes the companies/individuals to risks of cybersecurity breach.

Companies and their employees -every one of them- should be encouraged to have strong passwords and follow the principle of least privilege

 

Software updates

 

As the technologies evolve, some companies fail to keep their security technologies and software updated. This was one of the reasons Wannacry emerged as a successful attack as it targeted computers running on the Microsoft Windows OS, with companies that failed to install Microsoft’s security update from April 2017 being at the centre of the attack.

It is quintessential for the companies to regularly update their software and maintain a high-end, foolproof security software and firewall to protect their network of systems and applications as well as their websites.

 

Too much concentration on perimeter protection

 

Having a high-end firewall and border defences is a great idea to increase the cybersecurity; however, hackers are waging more sophisticated cyber-attacks that have the potential to easily penetrate through the perimeter security systems. Once inside, these bad agents can easily gain access to critical information unchecked, if a company’s security solutions are not robust.

Companies should invest in robust security solutions like intrusion detection systems that can not only hinder unauthorised entry into the company’s network but also flag anomalies within the processes and systems to better understand the indicators of compromise and warn against them.

 

Failure to map the flow and storage of data and limit access

 

As companies adopt digital transformation, work with offsite and onsite employees and partners and open their network to several other devices under the freelancing and BYOD models, flow of data outside the organisation is normal. While it eases the workflow, data security is at high risk as several external -probably unmonitored or even unauthorised- elements are at play.

Companies should monitor the flow of data and the source of data storage. They should also compartmentalise information to limit the access of right information to right person. Further, the companies should try and maintain business critical and confidential information like budget reports and income statements on systems that are not connected to the server. Right to access and modify the data or processes should be configured properly to avoid any undesirable changes.

 

Ignoring security testing

 

Network, applications and databases as well as connected devices and mobile phones could be home to several vulnerabilities, which if exploited could compromise cybersecurity. Failure to test the systems for such vulnerabilities could cause a catastrophic cyber-attack.

Companies should resort to regular testing by conducting penetration testing and automated vulnerability scanning for timely detection and fixing of potentially dangerous vulnerabilities.

 

Vendor risk assessment

 

History of cyber-attacks has a prominent segment enlisting some of the most reprehensible breaches that initiated with the hackers first infiltrating through one of the vendors of the victim company. One such incident took place in October 2016, when a massive DDoS attack targeted at Internet’s domain name system (DNS) provider Dyn disrupted the functioning of popular websites like Netflix, Airbnb, Spotify and even Twitter, which all had domain names serviced by Dyn. The attack stopped users from trying to reach Dyn-serviced domain names, whatsoever.

Companies should thoroughly examine the security framework and strategies of any third-party company before entering into an outsourcing arrangement with them and have an agreement in place for mutual co-operation and adherence to standard security and risk mitigation protocols.

 

Ignoring ‘Shadow IT’

 

An increasing number of cases of employees accessing shadow devices and applications, which are not approved by the company’s internal IT department, could be seen. Some of these shadow IT apps and devices could be the generally seen, innocent-looking USB flash drives or online instant messaging services. Information flowing through them and moving out of a corporate’s network can be dangerous. As per a report by Gartner, a third of successful attacks on the enterprises will occur on their shadow IT resources by 2020. [3]

Companies need to profile the risk of such apps and devices and accordingly lay the regulations and protocols for managing and controlling the use of shadow IT systems.

 

 

Inadequate knowledge of the types of cyber-attacks

 

The hackers’ world has evolved over the period of time and each one of them is racing toward creating something more unique, more destructive than before. Email phishing, whaling, cryptojacking, ransomware, stealth virus and so many other types of malware are threatening the cybersecurity and data integrity of businesses.

The 2019 Internet Security Threat Report by Symantec indicates that 2018 recorded four times more cryptojacking incidents as compared to 2017, with the malicious practice only expected to see growth in 2019. [2] Sometime back, crypotojacking was unheard of and now it has suddenly emerged as one of the notorious practices companies have to be on a constant lookout for.

Hackers are using a combination of different malicious programmes to launch the attacks. Companies cannot simply employ solutions that offer skimpy protection. They have to understand the variety of malicious programmes, their updated versions as well as the new ones, and their risks. Assessing the risks and selecting a robust solution that can effectively detect and tackle an extensive range of cyber breaches should be one of the key points in any company’s cybersecurity strategy.

 

Workforce

 

IT personnel

Some firms believe having a robust security system in place solves all their problems and they are now guarded against any possible attack and hence do not pay much attention to the skills and expertise of the IT professionals they hire. However, the ever-growing and evolving cyber threats need expertise of well-trained, experienced IT personnel who can take well-informed decisions whenever required.

 

Employees

Several companies and employees disregard the importance of security awareness training. This could spell disaster. A report by PhishMe had found that spear phishing email is responsible for 91% of cyber-attacks. Several employees do not realise the risks of opening unsolicited emails from unknown sources and they inadvertently open malicious emails that upon executing themselves, gain access to the system and spread the virus/malware across the network.

Proper training could help in alerting and educating employees about the various types of cyber-attacks, their impact and how to tackle them. Training them on the do’s and don’ts of accessing web services, usage of authorised and unauthorised devices, social engineering and their repercussions will support the cybersecurity efforts taken by the company. Re-training after a specific period is also essential to keep the employees abreast of the new threats and ways to tackle them.

 

Management and Board

Senior level executives and Board members are as much responsible for protecting and maintaining the data integrity as the other employees. The onus of data security lies more on them as they are in possession of a lot of critical information. As a matter of fact, the companies should prioritise data security over ranks and encourage senior executives to actively comply with data security protocols.

 

How well are you prepared?

 

If even a single point from the aforementioned list raises an alarm in your head, it’s time for you to re-evaluate your security policies and efforts.

 

The saying “Prevention is better than cure” should be a company’s go-to mantra for protecting its digital infrastructure and data from malicious attacks by making sure that all the necessary measures to tackle a breach are adopted and timely updated to identify and fight new and advanced threats as they come. Companies should ensure proactive engagement of its people in maintaining data integrity and following all the necessary protocols to avoid creating any loophole that could be exploited by the adversaries.

 

 

 

References:

 

[1]

https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/

 

[2]

https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf

 

[3]

https://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/

 

Other sources:

 

https://thebestvpn.com/cyber-security-statistics-2019/

 

https://medium.com/@digitalrisks/six-of-the-scariest-cyber-attacks-in-history-8cba695b987d

 

https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/12-common-cybersecurity-mistakes-and-how-to-help-avoid-them/

 

https://businesstown.com/common-cybersecurity-mistakes-small-businesses-make/