Avoid these 10 Cybersecurity Mistakes
Woohoo! We are officially a month and a half into 2016. How are your resolutions going? If you’re like me, the answer to that question probably sounds something like, “uhhhh…no comment”. But hey, that’s only natural. Personally, I can only maintain January’s levels of die-hard determination for so long before I slip back into comfortable routines.
However, one resolution none of us can afford to toss out like last year’s iPhone is to learn from past mistakes—particularly those of the cybersecurity sort. To help us do this, I’ve compiled a list of the top 10 cybersecurity mistakes to never make again. Let that be a resolution that sticks.
1. “We must achieve 100 percent security.”
John Chambers, the CEO of Cisco said it best, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” In today’s cyber threatscape, no organization is safe from attacks (hello Ashley Madison, Target, THE US GOVERNMENT). Once you accept that perfect security is an illusion, you can focus on protecting your most important information assets and improving detection and response capabilities so you can nip problems in the bud as they arise.
2. “Attacks only come from the outside.”
2016 is the year to grow some eyes in the back of your head. According to the Verizon Data Breach report, 20.6 percent of all attacks are due to insider misuse, with an additional 15.3 percent coming from device theft or loss. In order to minimize insider threats, focus on implementing a thorough, company-wide security education policy. This should be tailored to employee’s specific devices, roles and locations as well as include regular check-ups and updates to make sure every base is covered.
3. “The security threat level remains the same year after year.”
2015 made it abundantly clear that security threats aren’t going anywhere anytime soon. In fact, they’re increasing in both quantity and complexity. From 2013 to 2015, the number of records compromised by external hacking grew from roughly 49 million to 121 million; and this troubling trend shows no signs of slowing down in 2016.
In order to keep up with the rising tide of threats, cybersecurity has to start at the tippy top of the corporate food chain with the board. Executives should make cybersecurity a company-wide priority by training employees, creating up-to-date incident response programs, and proactively taking steps to get ahead of breaches in order to reduce their overall impact.
Warning: don’t be lulled into a false sense of security just because you’re complying with industry regulations. Don’t get me wrong, compliance with certain laws and policies is certainly a crucial component of cybersecurity, but should not be relied upon as your only security solution.
Speaking at the 2010 CSI Annual Conference, Jim Jaeger, director of DoD and commercial cyber solutions for GDA Information Systems warned, “Virtually every breach we investigate, that company has been certified as being compliant within the last year. In many cases, these compliance regimes give people an incredible false sense of security.” Gulp.
The lesson to take away from this? Check that compliance box, but make sure you also have a comprehensive network security program in place too.
5. “We have the best-of-class technical tools so we must be safe.”
Great! Specialized tools are a key component for strong cybersecurity as they enable the rapid detection of intruders on your network. However, just like mistake #4 in this list, don’t let the fact that you have these tools fool you into thinking that this is all you need for total security.
Effective cybersecurity is less dependent on technology than you would think. These tools should be integrated into a holistic cyber security policy that focuses on user education and security strategies just as much as top-of-the-line technology.
6. “We’re too small to be a target for hackers.”
From Ashley Madison to Donald Trump, 2015 was a year of big-business data breaches, with almost every American affected by at least one breach. However, the unfortunate fact is that virtually every size company, not just a massive corporation, is a target for cyber thieves out for valuable corporate information.
In 2015, hackers increasingly targeted “the little guy” as 62 percent of cyber breaches hit small and mid-size businesses where preparation was low and the financial burden of a hack could potentially topple the organization. Instead of relying on anonymity as your safety net in 2016, invest both time and resources in developing a comprehensive cybersecurity policy so that your business is prepared to fend off and recover from potential attacks.
7. Mistake: “We know better than you. (And its cousin: That won’t happen to me.)”
At risk of sounding like your mother, the rules are there for a reason—they keep you (and your network) from getting hurt. Therefore, as annoying as those antivirus/password/software etc. updates may be, it is in your best interest to leave them on and follow their instructions in order to keep your network in tip top shape.
If you're guilty of this, ditch the “It won’t happen to me” mentality that drives many end users to ignore important cyber security protocols, causing them to end up with a breach on their hands that they then have to explain to their boss.
8. Mistake: “End-point solutions should be enough.”
The days when security meant building up bigger and bigger perimeter walls with more and more point solutions are behind us. Instead, businesses need to focus on visibility, identity and authentication, threat intelligence, integrated solutions and a stronger prioritization of resources around key areas.
By only watching the perimeter, businesses set themselves up for “silent failure” because once an adversary gets inside undetected, he can operate freely without the threat of detection because nobody is looking.
9. Mistake: “A complicated password isn’t all that important.”
This is one that really ruffles the feathers of IT pros. Technically, poorly chosen passwords could fall under mistake #7, but due to how widely perpetrated this mistake is, I think it deserves its own spot on this list.
Using weak, easily guessable passwords puts not only you, but also your business at risk for hacking and identity theft. According to password management firm Meldium, 65 percent of people use the same password everywhere and a whopping 90 percent of employee passwords are crackable within 6 hours.
So please, try to choose a wholly unique password for all of your log-in credentials; and make it a good one. When choosing a password, remember that longer does not always equal better: “12345678” is longer than “p1fmkd” but is a bajillion times (to be very technical) more hackable.
Also steer clear of sports or pop culture references. Instead opt for a “passphrase” of twelve characters or more with mixed types of characters. Worried you’ll have trouble remembering all these passwords? That’s what password managers are for. (And so that you’ll never have to write your password on a sticky note again.)
10. Mistake: “Printers and scanners don’t pose any credible risks for security.”
Modern printers aren’t just mere tools designed to spit out spreadsheets. Today’s printers and copiers are built just like computers, complete with processors, RAM, and operating systems, and need to be protected as such.
For example, in 2013 a vulnerability in some HP printers allowed hackers to assume control of the printer to view all printed and scanned files, and prevent the device from upgrading its firmware in order to patch the hole. Therefore, it’s important to configure your printers and other devices with security in mind.
- Change the default printer administrator password
- Set up your printer behind your network firewall
- Only allow connections to your printer from authorized network users
- Make sure your printer’s software is up to date and apply future patches in a timely manner.
Cybersecurity in the Future
There’s a lot of 2016 ahead of us—and it will no doubt come with a whole new set of security challenges. However, learning from the security failures of the past will help us tackle the future as seasoned security pros. Have any mistakes to add to this list? Leave them in the comments below.
Still not 100% sure your cybersecurity is up to snuff? Let us inspect your network for flaws. It's free, and it helps you find out what areas of your IT infrastructure may need some work.