11 security mistakes that are putting your company at risk (and what to do about it)

Posted by Gemma Sirett on October 9, 2019

Cyber attacks are inevitable. Regardless of the size of your business or the sector you operate in, if you’re connected to the internet, cyber criminals will try their luck.

But there are steps you can take to keep your business as safe as possible from danger. You can massively reduce the business impact of a cyber attack by addressing these 11 common security mistakes.

1. Complacency

Too many companies still adopt the “it will never happen to us” mindset. Large companies may think they’re safe because they have a cyber budget and IT staff, and small companies may think they’re too small to be a worthy target.

The first step is understanding and accepting that your business will be attacked. Although not every company will be targeted by state-sponsored attackers (though they sometimes attack little fish to ultimately reach bigger fish), it’s likely you’ll experience some form of cyber attack at some stage. It’s important to prepare your IT estate for compromise, so in the event of an attack, you’re able to limit the damage that can be done to your operations, finances and reputation.

There’s an assumption that cyber security is a problem to be dealt with by the IT department but in reality, every user is responsible. The more aware your users are of the risks, the more resilient your business will become.

2. Weak or reused passwords

Hands up if you’re guilty of reusing one or more passwords, or not changing the default password your account was created with. Remembering multiple strong passwords for multiple accounts is no easy feat – cyber criminals exploit this and capitalise on the opportunity to compromise several accounts that use the same password in one fell swoop.

Passwords aren’t going away any time soon, but there are additional measures you can take to avoid them being compromised. Use strong, unique passwords and ensure all users do the same – the NCSC’s guidance encourages using three random words. Additionally, implement two-factor authentication (2FA) on internet-facing systems and all remote access solutions, and for privileged users and requests to sensitive data repositories.

For both professional and personal life, making use of a password manager means you only have to remember one strong, unique password instead of lots of them.

3. Insufficient backup

If your IT estate is compromised and your data lost, could you get it back? Implement a rigorous backup regime to ensure business-critical data can be recovered if you are attacked. Store this backed up data in multiple secure locations, including an ‘offline’ location where infected systems can’t access it.

Regularly test that backups are being done correctly, and that your data restoration procedures actually work as intended. Imagine only finding out they don’t work after an attack has stolen or blocked access to all your files…

4. Reliance on reactive rather than proactive technologies

Some attacks bypass firewalls and anti-virus programmes – you need to proactively hunt your systems for signs of compromise that haven’t been picked up by these traditional methods. The longer an adversary sits on your network undetected, the more damage they can do.

Email is the single biggest attack vector, so implement the same level of proactive security for your email client too. Firewalls and email security solutions can block known malicious senders and strip certain types of file attachments that are known to be malicious, before they have chance to reach your inbox. Users need to be given all the information about an email so they can instantly make an informed decision as to its legitimacy.

Email attachments are commonly used to transport malicious files and processes directly to your inbox. If a malicious attachment is opened, application whitelisting will ensure only approved executables can run. You can also configure Microsoft Office to ensure only macros from trusted sources reach your users.

Isolation ‘sandboxing’ technologies can prevent the download and execution of ransomware – these technologies separate the malware, before analysing and detonating it in a secure, isolated environment. This proactive approach ensures that if there’s an attempt to download ransomware onto your network, it never reaches its destination and your systems remain unaffected.

5. Use of removable media

Malware can easily be spread through infected flash drives, external hard drives and smartphones – anything that can be plugged in to a computer.

Always scan a device for malware before plugging it in. To minimise the level of risk, implement policies to control access to removable media devices. On particularly sensitive systems, consider disabling removable media altogether.

6. Generic user privileges

Users should only be permitted access to the information they need to do their job.

Limit the number of privileged user and admin accounts. For IT admins, adopt a least-privilege approach and consider using a privileged access management solution to restrict access throughout your network. The more users who have access to privileged information, the more targets there are for cyber criminals, and the more likely they are to succeed as a result.

Monitor all user accounts for unusual activity. If a user is accessing files or drives they have no reason to be interacting with or have never interacted with before, such activity should prompt a review.

Keep a record of all accounts each user has access to, and remove permissions as soon as they leave the company.

7. Poorly configured systems that aren’t kept up-to-date

Environments that are not configured securely can enable malicious users to obtain unauthorised access – it’s therefore imperative to ensure the secure configuration of all systems at all times.

Schedule regular vulnerability assessments to identify weaknesses in your organisation’s IT infrastructure that would leave it open to exploitation – use the results to define your detection and response capabilities, and ascertain if you need to outsource your cyber security to a managed security provider. To avoid allowing malicious access through unpatched vulnerabilities, apply security patches regularly and keep all systems and applications up-to-date.

To ensure security across your network, it’s important to have robust and secure standardised builds for servers, workstations, laptops and other network infrastructure. That way, as soon as new hardware is added to your system, you can be confident it is already secured to the same standard as the rest of your IT estate.

8. Lack of guidance for remote working

If any of your users work on the move or from home, it’s important to have policies in place that will protect any sensitive corporate or personal data in the event of a mobile device being lost, stolen or compromised.

Many corporate mobile devices – laptops, phones and tablets – not only contain locally saved sensitive data (client contacts, emails, photos, documents, etc.) but are also connected to the company’s internal network through VPNs and workspace browsers, giving attackers a direct route to the heart of a business.

To enforce secure remote working practices, employ a suitable and robust enterprise mobile management solution and policy, applying your secure baseline and build to all devices.

9. Inconsistent monitoring

If you’re not monitoring your systems, you could be overlooking opportunities that attackers won’t miss.

Continuously monitor all systems and networks to detect changes or activities that could lead to vulnerabilities. Consider setting up a security operations centre (SOC) to monitor and analyse events on your computer systems and networks. If you don’t have the resource or skills in-house, outsource these tasks to a specialist managed security service provider (MSSP).

10. No incident response plan

Write one! Make it specific and ensure it accurately reflects your company’s risk appetite, capabilities and business objectives.

Being adequately prepared for a security breach will go a long way towards minimising the impact to your business. Know exactly what you’re going to do and how you’re going to do it, and make sure you have the necessary information, resource, skills and capabilities to do it effectively and efficiently.

Test your incident response plan on a regular basis, using a variety of different scenarios, to identify where improvements can be made.

11. Expecting users to protect you from attacks

If your users are your first line of cyber defence, your defences are going to succumb to attack.

Humans make mistakes, and no amount of training will negate that. Most users can’t be trained in complex IT processes, simply because they’re not IT experts. It’s unrealistic and unfair to expect otherwise.

Invest in cyber security solutions that remove the burden of being on the frontline of email security defence, allowing your users to get on with their day jobs.