It’s easier than you think for organizations and their leaders to overlook cybersecurity. Unfortunately, the nature of the threat means some of the biggest worries for your organization might actually be out in plain sight. Here are five cybersecurity risks that are regularly overlooked.
- Inconsistent or Nonspecific Cybersecurity Training. In many cases, people are the weakest link. “From falling for phishing emails, and clicking on links or downloading documents that turn out to be malware, to being a victim of business email compromise scams that end up losing the company a lot of money, employees are a company’s greatest liability when it comes to cyber security.”1 More specifically, it’s how well and how consistently they’re trained on security essentials. Since you don’t want to assume any one employee is automatically better versed on digital security than another, it makes good sense to standardize the training. Everybody should be on the same page about the reality of the risks and how necessary a good human element is these days, even with all the anti-virus and anti-malware software available. The understanding of what a phishing email looks like comes in handy just as much at home as it does in the office. Even though most employees don’t like the idea of extra meetings, specific cybersecurity training helps employees feel a greater sense of ownership over the company and its processes and assets.
- Passwords. Ensure that any accounts associated with your organization are secured by a strong password, and two-factor authentication, if possible. It is always recommended that employees cannot reuse passwords from other online accounts for any of their work accounts. You can make it part of your IT policy that employees must change their passwords within a specific time limit. Communicate with your team that they should not share their passwords with anyone else.
- Patch Management. Keeping software patches up-to-date is a critical component to keep your company network safe from newly discovered vulnerabilities. The importance of keeping software updates current was underlined in a dramatic way during the WannaCry and Petya outbreaks. The primary way both of those attacks were spread was by exploiting a critical vulnerability in the Windows operating system known as Eternal Blue. Eternal Blue allowed the malware to spread within corporate networks without any user interaction, making these outbreaks particularly virulent.“The WannaCry outbreak occurred in May; the patch for the Eternal Blue vulnerability had been released by Microsoft in March. If the patch had been widely applied the impact of WannaCry, which mostly hit corporate networks, would have been greatly reduced. You would imagine that a high-profile incident like WannaCry, which underlined the importance of keeping patches up to date, would have ensured people and companies did just that. However, despite all the publicity the WannaCry outbreak received when it occurred in May, the Petya outbreak in June was still able to use the same Eternal Blue vulnerability as one of the ways it spread.”2“To be fair to the IT managers in the various companies that were hit due to the Eternal Blue vulnerability being exploited, updating software on company networks is not always entirely straightforward. IT managers can often be fearful that updating one part of the system could cause another part of it to break, and this can be a particular concern in, for example, healthcare organizations, which were heavily impacted by WannaCry.” 3 However, incidents like the above do underline the importance of protecting vulnerable systems, and patching is a key way to do that. The point is not that clicking refresh on software updates all day long will prevent every possible instance a cybercriminal could exploit a vulnerability or back door. Setting everything you can to auto-update at a convenient time, daily, does stand a chance of keeping you safer.
- Other Companies. A problem that many businesses encounter in the current business climate is that it is not just their cyber security practices that they have to worry about: they also have to worry about the cyber security protocols of other businesses they work with. Your company may have stringent cyber security practices implemented, but if a third party your company deals with is compromised then attackers could potentially gain access to your network. Network segmentation, or dedicated servers that vendors can use so that they do not connect directly into your company’s network, can help safeguard against weak links in third parties’ cyber security. If that isn’t possible, it is wise to at the very least have a conversation with potential vendors before doing business with them to ensure they take cyber security seriously, and have appropriate practices in place.
- Unsecured Personal Devices. “BYOD culture — or bring your own device — is a great thing for employees and employers alike. It lets employees perform their duties in a digital workspace they already know and feel comfortable in. On the employer side, the lack of a serious learning curve and the small bump in productivity are welcome. What’s less welcome are the cybersecurity risks that BYOD culture brings. It’s possible to permit and even encourage your teams to work on their own laptops and tablets, but this shouldn’t be done without a comprehensive and robust BYOD policy drawn up by your IT team. At a minimum, you should require that users access on-premises internet connections using VPNs and that all accounts are equipped with two-factor authentication.”4
In today’s connected workplaces, here’s no single department within an organization whose job it is to ensure cybersecurity. In fact, that’s the major message all across the digital landscape: No matter how large or small the organization, it’s vital to speak and act as one when it comes to protecting digital assets and company property. As with so many of the issues mentioned on this list, employee education is key: employees need to understand what good cybersecurity practices are, and the potential consequences for the company if they are not followed.
1-4: Symantec Security Response Team: Cybersecurity Weak Links. www.symantec.com/security-center – Bryley Systems is an SMB Specialized Symantec partner.