“…Data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true—even inevitable—then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world,” said IBM Corp. Chairman, President and CEO Ginni Rometty at the IBM Security Summit in New York.
We believe this is true, as there were an estimated 1.5 million attacks in 2015, and 2016 has amounted to even more data breaches, malware and ransomware attacks. The effects of these cyberattacks have been acknowledged through increased government funding and programs to help alleviate security issues, yet it’s not enough.
The costs of cybercrime are rising, too. As reported by Steve Morgan, writing for Forbes.com, leading market analyst, Juniper Research has predicted that “…the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.”
Across the globe, IT professionals are working frantically to protect the sensitive data on which their organizations rely. “While it may not constitute end times for a business, an incident that can result in stolen data, diminished customer confidence, reputational harm, compliance penalties and legal fees isn’t exactly a drop in the bucket either,” states Dan Kaplan, writing for Trustwave’s blog. For small to mid-size businesses protecting this business-critical data can seem challenging, but there are some very practical steps you can take to increase the safety of your company’s business-critical records.
Here are three common cybersecurity mistakes and how you can avoid them:
- Not Taking Passwords Seriously
One of the most common cybersecurity mistakes is the use (or misuse) of passwords within an organization. Unfortunately, it may be you or one of your colleagues that are the weakest link in your cybersecurity efforts. Lack of training, ineffective security guidelines, and sheer negligence can be to blame. Many workers use passwords that are simple to guess, like “password” or “123456.” Others keep their passwords written on paper left in plain view or use the same password across multiple accounts and devices. Any of these actions can create a virtual “back door” for hackers and make access to your organization’s network frighteningly easy.
In a 2016 survey by Sailpoint, a firm that manages user access for businesses, 1,000 professionals across 6 nations were polled about their password habits. The findings showed that 65% of the respondents use a single password across all applications, and one in three share their credentials with colleagues. What’s more disturbing is that 20% of respondents said they would sell their passwords, and 44% of that subset would be willing to sell their passwords for less than $1,000.
Solution: Educate your employees and hold them accountable. Commit to ongoing cybersecurity training across your organization, and ensure everyone understands their particular role and responsibilities. Establish strong password protocols as part of your security guidelines, conduct regular “checkups” on password security, and explain the need for secure passwords on your personal devices, as well. This eliminates the “I didn’t know” scenarios and cultivates a culture of security. To prevent malicious activity, follow best practices and only provide credentials to those who truly need user access.
- Thinking It Won’t Happen to Your Company
Many people still don’t accept the reality of cybercrime and don’t believe a data breach can happen to them—perhaps because they think their business is too small or too unimportant to attract a hacker’s interest. This thought process is dangerous and can cause your organization to be the next statistic. According to Jeremy Henley, director of breach services for ID Experts,“…many smaller business owners and managers assume that large organizations are the ones with targets on their backs and file that news away as ‘It could never happen to me,’ not realizing that many of those huge breaches actually started with a security issue at a smaller business.”
Solution: Be proactive, and remember, the best defense is a good offense. Meet with your IT staff and conduct a risk assessment for your organization. Ask them to develop and test an incident response plan—and test it again, if you aren’t already. Conduct security training for new employees across all departments. Also, contact your vendors and managed service providers to include them in your security planning—this is especially critical for those who manage, host, or transmit electronic personal health information (ePHI), or other sensitive data, and need to maintain regulatory compliance.
- Dismissing BYOD (Bring Your Own Device) and Shadow IT Threats
BYOD is here to stay, and the related issue of shadow IT—a term to describe the use of devices and software that’s not authorized by the company’s IT department—is also prevalent in the workplace. According to a survey published by Cass Information Systems, Inc., 60% of respondents say the number of BYOD users at their organization has increased since last year, 85% claim to have at least some BYOD users, and 36% say they have 1,000 or more BYOD users.
You might be tempted to downplay the risks BYOD presents to your company. It’s possible your IT department is so busy it hasn’t yet developed policies to address BYOD and the related issues caused by shadow IT.
The 2016 BYOD and Mobile Security Spotlight Report, published by Crowd Research Partners, surveyed 800 security professionals to find out what influenced enterprise BYOD and mobile security. The respondents stated these top reasons for BYOD adoption: increased employee mobility (63%), higher employee satisfaction (56%), and productivity (55%). However, one in five of the survey participants also said their organizations had suffered a mobile security breach, primarily driven by malware and malicious WiFi. The report describes how BYOD security threats impose heavy burdens on organizations’ IT resources and help desk workloads.
Despite documented increases in data breaches, mobile security threats and the rigors imposed by new compliance regulations, only 30% of the organizations surveyed plan to increase their security budgets for BYOD in the next 12 months. And, 37% don’t have any plans to change their security budgets. In a world marked by rapid increase in cybercrime, ignoring the reality of BYOD and shadow IT, and their risks to security, is unwise and won’t protect you from harm.
Solution: Increase your security budget if necessary, and look to your IT department for guidance. BYOD and shadow IT should be addressed in your risk assessment and security guidelines. Identify the extent of the BYOD and BYOA (Bring Your Own Applications) activity in your company as a starting point. Develop policies to govern BYOD and BYOA usage when connecting to your network inside and outside of the office, and run audits regularly to stay on top of unauthorized usage. Your IT department may want to block certain websites or programs that they’ve identified as a threat.
The work of maintaining a secure network and protecting your organization’s sensitive data is only getting more difficult as the number and sophistication of cyberattacks grows. There is no one simple answer, but there are practical steps you can take to avoid some of the cybersecurity problems companies are facing today.
Looking for an IT partner who will keep you focused on the security of your sensitive data? Our team of experts is always available to answer your questions or review how OnRamp’s compliant hosting or managed security services benefit your organization.