In the business world, mistakes are costly whether they happen in accounting, customer service, or advertising. But, when it comes to cybersecurity, even small mistakes or instances of overlooking have the potential to cause enormous damage to your business. Here is a list of mistakes committed by businesses in the past that were exploited by cybercriminals.
1. Forgetting the basics.
Citrix is a firm working in the security industry known for building VPNs for clients. It recently had a major security breach that was undetected for 5 months. The hackers had used the Password spraying method where a few common passwords are randomly tried at scale. This mode of attack works because many users have weak passwords that are easier to guess.
Companies often invest in the latest technology but forget to ensure that basic safety practices are followed. Cyber hygiene practices like strong passwords and multifactor authentication provide the first line of defense against hackers. All the important data should be encrypted and the encryption keys should be kept separately. Employees should be made aware of the phishing attempts to gain user credentials.
2. Neglecting the vendor security systems
A recent study found that almost half of the data breaches are indirect, through channel partners and third-party vendors. A classic example is the Target breach in 2013 where personal and financial details of 110 million users were stolen. The hackers entered the system using the user credentials stolen from Fazio mechanical services which were providing HVAC services to Target. A company has limited control over the vendors and service providers. Hence, the supply chain is the weak link that becomes the preferred target of cybercriminals.
While selecting partners and vendors, check whether there is any security-related incident in the past. Clearly convey your security requirements to the prospective partners and check their incidence-response abilities. To ensure secure cooperation with partners, a firm needs to segment its network and place strong access controls. Third parties need to access relevant data and processes, but they should be kept away from other core domains like payments. Sharing security-related Information and providing training to the staff of partner firms will help minimize the risk.
3. Not paying enough attention to securing Smart Devices
Users of Amazon Ring Home security camera systems raised several complaints about hackers accessing their devices. Security experts have demonstrated that smart devices like a TV or an air conditioner can be an easy target for hackers to get access. A recent study found that attacks on IoT devices have tripled in the last year and 99.9% of these were automated - using a bot, script, or malware. One major reason behind the breaches is the weak authentication of users.
4. Leaving the default credentials in applications
In the year 2017, the personal data of 14million Verizon users were compromised, including their contact information and account PIN numbers. The massive data leak happened due to the misconfiguration of an AWS server and the basic setting of access control was missing. These types of issues can happen because of a configuration that is the default, incomplete or temporary. Applications that were used in the initial production stages also might be present as a vulnerability.
Information systems have become complex with modern frameworks, hybrid data centers, Cloud storage, emerging technologies, and applications. Detailed mapping of the system is needed to track the processes and information flow. Better visibility will help to identify the unexpected behaviors of applications and to remove the ones which are no longer needed. A periodic audit by an expert team is crucial to minimize the risk because the systems are evolving continuously.
5. Missing patches and updates
Equifax is one of the largest credit reporting agencies in the world and it reported a massive breach in 2017 in which the private data of around 145 million users were compromised. Now, Equifax is set to pay consumers up to $700mn for damages. Later investigations found out that the data leak could have been prevented if they used a patch that was available for months.
A Patch or a fix is a minor change made to the code to prevent a bug or vulnerability. The development team won't be able to foresee all the possible threats in the initial phase, and they release patches and other updates as vulnerabilities or bugs show up. It is the duty of the cybersecurity team to make sure that all the applications and software are updated to the latest versions.
Avoiding these common pitfalls will reduce the risk of cyber threats and will keep your organization in a good position to counter the evolving tactics of cybercriminals. At Valuebound, we work with organizations to help them in securing their digital platforms, with a holistic approach. Do connect with us if you would like to know more about how we are helping our clients.