Here Are the Security Mistakes Your Company Could Be Making
Every week, publications such as The Wall Street Journal and business sections of major city newspapers report the latest incidents of corporate hacking. As it turns out, the problem isn't caused exclusively by a growing number of hackers armed with new tools and strategies.
The companies being hacked make their own contributions to their security problems.
According to research and statistics, too many American companies—of all sizes—fail to follow some basic, or at least simple, security principles. Those oversights give hackers the opportunity to do their dirty work.
An article published in a special WSJ report entitled "What Companies Should be Doing to Protect Their Computer Systems—but Aren't" revealed the common mistakes companies make that increase their risk of attack.
For illustration, here are some of the statistics that show where many companies fall short. (Note: The numbers came from the 2015 "Verizon Data Breach Investigations Report.") Of a select number of large American companies surveyed, the results found:
- 37% of IT professionals say insufficient funding of IT security led to a breach.
- Only 55% of companies say they encrypt their outgoing email.
- Only half reported conducting security awareness training.
- More than half (55%) admitted not being able to discover where the breach had occurred.
- Just under half (44%) said malware was involved in the hack.
This information is unsettling to businesses and consumers alike. Most of the public would expect that companies would do everything they could to protect their data. After all, company data is often consumer data too: names, addresses, email addresses, account numbers and so on. If companies are collecting your data, they should be doing as much as they can to protect it.
Five changes companies should make now.
Based on the opinions of security experts, the WSJ article listed five measures companies should consider to help reduce the threat or incidence of data attack. These are steps that every company should take, but simply don't, for a variety of reasons:
- Keep up to date with security patches.
All businesses rely on complex computer systems to manage their business data. Business software and computer operating systems are complex, and it's common for software to have flaws that go unnoticed for long periods. In 2010, Microsoft released a fix, or "patch," when a flaw was discovered in their operating systems. However, many businesses simply failed to update their software to fix the problem. Hackers who knew about the flaw exploited the software weakness and successfully attacked companies who hadn't installed the patch. More than that, patches are released whenever problems are detected, so there are often multiple patches to install. If companies fall behind with their updates, that gives hackers more ways to get into a system. Simply keeping up with updates goes a long way toward keeping hackers on the outside, looking for easier targets.
- Keep tabs on every device with an Internet connection.
It's hard to imagine how many computers a large company might have. The problem is, companies simply don't know how many they have and, more importantly, how many are connected to the Internet at any one time. The Verizon Security Survey reported that 25% of the security breaches occurred when hackers obtained system access through a device that didn't need to be online, or online at the time. Last year the HealthCare.gov system was attacked through a Web-development server that wasn't designated to be online; therefore, it didn't have strong security protections in place. The hackers essentially came through a system door that was "left open" accidentally. These days, many devices such as printers, thermostats and lights have Internet connections, but not many have strong security safeguards in place because they're "not computers." That's a mistake. Companies should make sure that any computer or device that has an Internet connection is secure and not easily hacked.
- Encrypt all data.
Automatically scrambling and coding data to make it unreadable is called encryption. One security expert has been quoted to say, "You can't rely on people. You have to rely on technology." What he meant was this: It doesn't matter if you have all the brightest IT talent if they aren't doing everything to encrypt your company's data. For example, in California from 2013—14, 25% of the data that was reported stolen was NOT encrypted. Everyone knows encryption works, so why don't companies do it? Some reasons are cost, complexity and time. It's not cheap to acquire and implement the latest technologies, and company executives might be slow to approve funding. That could be dangerous, as Home Depot unfortunately found out: They were in the process of implementing technology to encrypt customer credit/debit cards when hackers attacked, gaining access to 56 million account numbers. They weren't fully aware of the hack for some time, either. The lesson to learn? Encrypt all sensitive customer and company data or face a real risk of losing it.
- Educate staff on strong passwords.
Passwords are a pain to remember and annoying to change. It's not uncommon for some people to have more than 100 passwords for different accounts. To make life easier, many people use the same (or very similar) passwords for different accounts. Facebook made many of their customers change passwords after Adobe was hacked...because it was discovered that many Adobe customers who had Facebook accounts used the same passwords for both websites. Hackers count on weak passwords, duplicate passwords, laziness and apathy. It works: They can often guess or determine passwords with simple programs. A company that requires employees to create new and unique passwords routinely is less likely to be a victim of the most basic of attacks.
- Screen vendors. Choose wisely.
Because of recent high-profile attacks, more companies are discussing IT security at the highest levels and beefing up their defenses. That's good news and a step in the right direction. However, large companies have working online relationships with hundreds of vendors, from lawyers and accountants to air-conditioning contractors. And often those third-party contractors don't have the same level of security in their online systems. That gives hackers a chance to infiltrate a company through a "side door"—a vendor's hacked connection. In fact, more than half of all large data breaches may be coming from vendors/third parties with online access to the real target. That's how hackers breached the computer systems of Target, the Home Depot, and Goodwill Industries. The solution? You need to evaluate vendors on their security history, especially if you give them access to sensitive systems that hackers will target, such as accounts receivable. Don't hesitate to ask vendors all of the tough IT questions and have a security consultant or expert examine their answers.
As the headline in the WSJ article read, "Sometimes the simplest things make all the difference." So before your company takes on a huge security project, make sure the simplest security "check boxes" are reviewed. Closing a few open doors is the best way to start your next security effort.
Information for this article was sourced from The Wall Street Journal.
Journal Report: INFORMATION SECURITY. April 20, 2015.