NOT AS EASY AS “SET IT AND FORGET IT”
Keeping your business safe isn’t a one-time thing and it’s not just a matter of adding firewalls and antivirus software. Cybercriminals take advantage of all sorts of vulnerabilities in your company. Some are digital. Some are human.
Ransomware meltdowns have grabbed headlines but a lot of businesses suffer less catastrophic invasions. Fraudulent money transfers, stolen business information, and days of lost productivity. Even the smallest business can be targeted by automated attacks and hacker farms.
It’s always more affordable to prevent these exposures than it is to recover from them. A good percentage of businesses are so affected that they resultantly fold.
Checking for weaknesses is an ongoing task. Here are five things you should know.
FIVE COMMON VULNERABILITIES
VULNERABILITY #1 – YOUR EMAIL
Let’s start with three facts:
- Too many logins are tied to corporate email accounts.
- The majority of users cannot tell if their email email account has been compromised.
- Phishing for email logins is the #1 hacker target. By far.
You need to have multi-factor authentication enabled for all business accounts. Why is not enabled in your business?
It’s a pain and it requires too much getting used to.
We need to share an account login.
Some employees will require a bit of support to get it setup.
The setup process is weird and no one knows what apps we need.
True but it doesn’t matter. It’s worth it. It’s not perfect but know this: we’ve yet to have a client with a compromised email account where multi-factor authentication was enabled. All of the exploited logins have been phishing related, on an account without a login challenge.
Your email accounts are a gateway to all sorts of financial and business information. You need to lock them down as much as possible.
VULNERABILITY #2 – WEAK ENDPOINT DEFENSE
Some companies fail to set up managed endpoint defense software by rote. A common issue: expired antivirus tools that shipped with the Dell PC or came pre-installed on a Best Buy PC. The owners think they’re cover but they’re not. This means that the organization is more susceptible to cyberattacks, allowing malware to install.
Centralized reporting and monitoring is critical because it allows for IT professionals to document issues, causes and potential patterns.
The best way to address these issues is to invest in a platform that offers in-depth behavioral inspections, managed alerting and security that extends beyond traditional antivirus.
VULNERABILITY #3 – POOR ACCOUNT PRIVILEGE CONTROL
Limiting the access privileges of daily users helps in several ways:
- Ensures that the apps on the machine are verified for business purposes.
- Prevents the installation of many malware types by disabling software installation.
- Apps that could affect compliance aren’t installed by unknowing users.
- Helps to avoid breaking applications that are for business use.
The less information they can access, the less harm they can do. The problem comes if your company doesn’t control your user account access, enabling practically any user to have administrator-level privileges. It gets even worse if your configuration allows unprivileged members to set up admin-level accounts.
You should grant access only to those team members who can’t carry out their duties without the access.
You also need to ensure new accounts don’t have administrator-level access. This setup might be difficult to implement so it’s best to lean on your IT resource for the initial configuration.
VULNERABILITY #4 – COMPROMISED OR WEAK CREDENTIALS
Your password and username may be the most widely used access credential. And cybercriminals can easily compromise them, exposing your user credentials.
This usually happens when an unsuspecting team member falls victim to phishing and enters their login information on a fake website. And with compromised credentials, an intruder gains insider access.
Here’s how it goes:
- Password and email address are stolen via phishing (or leaked publicly due to a hack).
- Thief uses the credentials to access the website.
- Thief then tries the same credentials, sometimes with an automated attack, on various popular sites — banking, credit cards, etc. If the same password was used, they’re in.
- One login can lead to all sorts of access. Business credentials offer administrative access to systems and devices that consumer ones might not, creating a higher risk of exposure.
To avoid this scenario, you should implement stringent password policies for business accounts, enforce complicated passwords, and enable multi-factor authentication whenever possible. Remembering passwords isn’t necessary if you use a sophisticated password management app.
User training helps too! We often provide how-to information to our clients regarding their role in keeping business accounts safe.
VULNERABILITY #5 – OUT-OF-DATE SYSTEMS
You cannot protect older systems from intrusion. As technology ages, more exploits are discovered. It’s critical to make sure that all devices are using the latest operating system and application patches.
Many personal computers are set to update automatically but it’s more difficult to ensure that the same happens to devices that you don’t work on everyday. Examples: firewalls, servers, Internet-of-things (IoT) devices, and wireless access points. All of these should be regularly updated to make sure that they cannot be compromised by a known exploit.
Out-of-date systems and old operating systems are easier to break into. There are so many exploits in the wild that there are websites dedicated to researching device vulnerabilities.
WHAT TO DO NEXT
The risk of losing precious data and risking your corporate reputation is too high. To ensure your organization isn’t a sitting duck for cyberattackers, we recommend four things:
- Work with your IT provider to take appropriate precautions and do this on a recurring basis.
- Know what the standards are for your industry and make sure that you’re meeting them. Governing bodies drive compliance standard like PCI, HIPAA, and SEC. Often your business insurance relies on you maintaining compliance.
- Make sure that you have monitoring in place to detect and alert knowledgable IT professionals.
- Document your technology and make a plan for keeping things current.
- Offer security awareness training to your teams. Programs are available for things like phishing.
- Create policies for things like cybersecurity so you’re prepared if something goes wrong.