Twenty-fourteen was marked the “year of the breach”, due to the number of high profile data breaches that affected so many organisations worldwide.
Attackers were found to be siphoning data over days, months and in many cases years, adding to the fear of social engineering being a prime method of introducing malware into an organisation and presenting the challenge of how organisations should best deal with targeted attacks.
The increase seen in 2014 raised the question of whether hackers were becoming increasingly sophisticated in their attacks, or in fact whether businesses were dropping the ball due to the complex nature of managing their networks, applications, databases and technologies while lacking resources when it comes to security?
Some of the most common mistakes made by businesses in 2014 include:
- Misconfiguration issues: The use of weak passwords, using the same password for multiple logins, failing to configure a firewall properly so that it’s blocking unapproved outbound traffic, failing to run up-to-date anti-virus or anti-malware software can all make the business an easy target for the attacker. Such issues are easily fixable but businesses continue to overlook them.
- Lack of resources: We continue to see in-house IT teams purchasing security technologies, only to realise when they arrive that the team doesn’t have the time or manpower or skill sets to make sure the technologies are installed, updated, monitored and continuously working properly. The technologies end up collecting dust on the shelf.
- Security weaknesses across third party providers: Findings from our 2014 State of Risk Report highlighted that more than half of businesses use third parties to manage sensitive data, however many businesses are unaware that their third party provider isn’t necessarily adhering to security best practices making them higher risk of being attacked.
- Lack of segmentation: Often, businesses use their network without the correct level of segmentation to transport all their sensitive and non-sensitive data. Transporting sensitive and non-sensitive data through the same networking channels makes sensitive data easier to access for the cyber criminal. Businesses must segment their networks and use different networking channels, so that those carrying sensitive information are separated from those with non-critical information.
- Non-existent or unpractised incident response readiness plans: Findings from our report revealed that more than a third of businesses don’t actually have an incident response procedure in place. Therefore when an attack happens, organisations don’t know who to call, what to do next, how to contain it and critical steps to minimise the damage. Implementing and testing an incident response plan can help businesses identify and remediate security weaknesses, detect compromises faster and minimise the damage from a breach.
To remediate these common weaknesses, there are simple steps that businesses can take. It is the responsibility of the business and third party provider to use methods such as:
- Setting up and introducing complex passwords or using passphrases throughout the organisation.
- Enabling two factor authentication for access on all systems and processes.
- Following security best practices such as:
- Perform regular risk assessments to identify where their valuable data lives and moves and any attack vectors for data and infrastructure. All risk assessments should cover people, process and technologies.
- Perform vulnerability scanning on a regular basis (at least monthly) across all assets followed by penetration testing at least quarterly for the most critical assets to identify and remediate security weaknesses.
- Deploy technologies to protect all attack vectors and augment their in-house staff by partnering with a third party team of experts to help ensure they have enough manpower and skillsets to make sure those technologies are installed, fine-tuned and continuously working properly.
- Create and practice an incident response plan so if there is a breach, the business knows what steps to take to contain it and minimise the damage.
It is clear to see that no one is immune to an attack; however the more difficult an organisation makes it for a criminal to succeed, the greater the chance of the criminal moving onto another victim.
Michael Aminzade is vice president of global compliance and risk services at Trustwave.