10 security red flags to avoid
Sometimes you hear a piece of advice so harmful that it grates your ears like nails on a chalkboard. You might call such advice "red flags."
Unfortunately, these red flags exist in the world of cybersecurity as well.
Below we've listed the 10 security red flags that businesses and individuals alike should avoid.
1. “We must achieve 100 percent security.”
John Chambers, the CEO of Cisco said it best:
No organization is safe from attacks.
There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.
And if you're familiar with the concept of SMART goals, then you understand why goals should be attainable. While it's obvious why someone would seek to eliminate all security risk, it just isn't possible.
Such goal is in the same vein as seeking to eliminate all vehicular accidents. In both cases, aiming for the impossible can cloud your judgment of success and preparedness.
Once you accept that perfect security is impossible, you can focus on protecting your most important information assets and improving detection and response capabilities so you can nip problems in the bud as they arise.
2. “Attacks only come from the outside.”
According to the 2016 Verizon Data Breach report, 20.6% of all attacks are due to insider misuse, with an additional 15.3% coming from device theft or loss.
To minimize insider threats, focus on implementing a thorough, company-wide end user security training policy. This should be tailored to employees' specific devices, roles and locations as well as include regular check-ups and updates to make sure every base is covered.
Adopting internal policies like zero trust security and the principle of least privilege can also go a long way toward mitigating the risk of an attack from the inside.
3. “The security threat level remains the same year after year.”
Security threats aren’t going anywhere anytime soon. In fact, they’re increasing in both quantity and complexity: SonicWall's 2022 Cyber Threat Report noted a 105% increase in the number of ransomware attacks in 2021.
To keep up with the rising tide of threats, security has to start at the top of the corporate ladder with the board. Executives should make security a company-wide priority by training employees, creating up-to-date incident response programs, and proactively taking steps to get ahead of breaches in order to reduce their overall impact.
Threat actors are constantly changing their methods to improve their own success. Also, malware that can update itself to avoid detection (such as emotet) poses unique challenges. What kept you safe last year may not work this year, and so on. Be sure your company is aware of the latest security threats and trends.
4. “Compliance = Security.”
Don’t be lulled into a false sense of security just because you’re complying with industry regulations. Compliance with certain laws and policies is certainly a crucial component of security, but should not be relied upon as your only security solution.
Speaking at the 2010 CSI Annual Conference, Jim Jaeger, director of DoD and commercial cyber solutions for GDA Information Systems warned:
Virtually every breach we investigate, that company has been certified as being compliant within the last year. In many cases, these compliance regimes give people an incredible false sense of security.
While industry overseers may update compliance regulations on a regular basis, chances are they can't update those regulations in a timely manner for every new threat. So don't stop improving your security just because you're following the latest standards.
5. “We have the best-of-class technical tools so we must be safe.”
Specialized tools are a key component for strong security as they enable the rapid detection of intruders on your network. However, just like mistake #4 in this list, don’t let the fact that you have these tools fool you into thinking that this is all you need for total security.
Effective security is less dependent on technology than you would think. These tools should be integrated into a holistic security policy that focuses on user education and security strategies just as much as top-of-the-line technology.
Your employees can be your greatest asset—or liability—when it comes to your company's security.
6. “We’re too small to be a target for hackers.”
The unfortunate fact is that virtually every company, regardless of size, is a target for threat actors out for valuable corporate information.
Hackers routinely target small and midsize businesses where preparation is low and the financial burden of a hack could potentially topple the organization. Instead of relying on anonymity as your safety net, invest both time and resources in developing a comprehensive security policy so that your business is prepared to fend off and recover from potential attacks.
7. “We know better than you."
At risk of sounding authoritarian, best practices exist for a reason.
In some ways, this point may contradict some of our previous thoughts in this same post. While we encourage you to go beyond the minimum requirements, we do ask that you not go rogue. If you choose to go against conventional wisdom in terms of security, please be sure you have good reason and that you understand the risks.
8. “Endpoint solutions should be enough.”
The days when security meant building up bigger and bigger perimeter walls with more and more endpoint solutions are behind us. Instead, businesses need to focus on visibility, identity and authentication, threat intelligence, integrated solutions, and a stronger prioritization of resources around key areas.
By only watching the perimeter, businesses set themselves up for “silent failure” because once an adversary gets inside undetected, he can operate freely without the threat of detection because nobody is looking.
Every day, businesses are relying more and more on the cloud for day-to-day operations. So you can't afford to rely on only one type of defense to keep you safe: Be sure you're using layers of security to better the chances of stopping attempted attacks.
9. “A complicated password isn’t all that important.”
This is one that really ruffles the feathers of IT pros. Using weak, easily guessable passwords puts not only you, but also your business at risk for hacking and identity theft.
Choose a wholly unique password for all of your log-in credentials—and make it a good one. When choosing a password, remember that longer does not always equal better: “12345678” is longer than “p1fmkd” but is a bajillion times (to be very technical) more hackable.
Also, steer clear of sports or pop culture references. Instead opt for a “passphrase” of twelve characters or more with mixed types of characters. Worried you’ll have trouble remembering all these passwords? That’s what password managers are for. (And so that you’ll never have to write your password on a sticky note again.)
Also, be sure to use multi-factor authentication if you're not already.
10. “Printers and scanners don’t pose any credible risks for security.”
Modern printers aren’t just tools designed to spit out spreadsheets. Today’s printers and copiers are built just like computers, complete with processors, RAM, and operating systems—and need to be protected as such.
For example, in 2013 a vulnerability in some HP printers allowed hackers to assume control of the printer to view all printed and scanned files, and prevent the device from upgrading its firmware to patch the hole. Therefore, it’s important to configure your printers and other devices with security in mind.
Here are some basic ways to increase the security of your printers: