Did you know that not all cybersecurity vulnerabilities are technical?
Yes – endpoint detection and response (EDR), antispam, firewalls and the like are important components of your cybersecurity defenses. But so are policies! A sophisticated cybersecurity defense strategy evolves beyond technical defenses and includes people and policies as a major component of the defense.
Cyber attackers are looking to exploit any vulnerability at your organization to steal information, hold your data ransom, and/or disrupt your operations. It’s important to examine what security vulnerabilities exist and what policies you need to eliminate or lessen these vulnerabilities.
Let’s look at five key areas where your organization may have security vulnerabilities—made worse if no policy exists.
1. Software, application, and system vulnerabilities
Without auditing, evaluation, and oversight of your applications and systems, you may have security vulnerabilities that leave you open to attack. Some areas needing policies include:
- Patching and updates: This is critically important. Too many easily avoidable cyber attacks are successful because organizations fail to patch and update software and applications. Make patching and updating a mandatory part of your IT activities.
- Outdated, old, or obsolete software: Vendors stop supporting software after a specific period of time. After the support goes away, you don’t get patches, updates, and other support. Sometimes, IT engineers can sort of maintain this software without official vendor support. However, over time the software inevitably becomes riddled with security flaws. You need a policy for keeping software modernized and supported.
- Unauthorized software: Sadly, some organizations use unauthorized software. When you don’t pay for it and/or use pirated copies, you are not getting vendor-approved patches and updates. This leaves you open to security risks.
- Code and database vulnerabilities: If software or an application is written poorly, then you may expose yourself to security vulnerabilities. Auditing your software and applications for security vulnerabilities at the code level will help you identify points where cyber attackers can attack.
2. Authentication and authorization
Who do you allow to access your systems? And how do you allow them to access these systems? Strong policies address these questions appropriately to limit risk. Important areas include:
- Passwords: Weak password (or no password) policies give cyber attackers an easy way into your systems. Understanding best practices for strong passwords, password managers, and Multi-Factor Authentication (MFA) is critical to protecting accounts.
- User access: Too many times, all employees may be given admin access to an application. Or, you may give out user accounts to applications without much thought—and then not track who has access. User access to applications, servers, and systems needs oversight and policies that define who and why someone is authorized to access something.
- Vendor access: Reported in a recent article from Threatpost, “61 percent of respondents in a recent survey said they’re unsure if partners, contractors, suppliers, and others are accessing or attempting to access unauthorized data. […] Further, the majority (72 percent) of organizations grant these users privileged or superuser permissions, giving them administrative access to sensitive information.” Many successful cyber attacks are the result of poor security related to vendors. As a result, you need policies that limit and restrict vendor access to your systems.
3. Network
Your network is comprised of your computers, servers, switches, routers, cables, and firewalls. That’s a lot of hardware—and each piece can open you up to security vulnerabilities if you do not have well-crafted policies in place. A few common weaknesses include:
- No monitoring: Data such as network traffic can reveal suspicious activity and anomalies. Without IT professionals monitoring your networks, you could have intruders within your system and never know until an incident happens.
- Misconfiguration: When network hardware is misconfigured, you open yourself up to security vulnerabilities. For example, your firewall might have ports open that give cyber attackers easy access to your network, or a server might not be protected with a strong password for administrative access.
- Lack of processes and technical controls: How do you handle changes to your network? Do you have documented processes, including from vendors? Having processes and technical controls ensures that you are following strict security procedures when doing anything with your network.
4. Devices
Devices used by your employees are often the most unsecured parts of your IT systems. That’s because, unlike a server or firewall, these devices are usually mostly controlled by the user who can make errors that allow the device to become compromised. Some examples include:
- Computers, laptops, tablets, and smartphones: If employees are using these devices for work, then these devices are at risk for compromise. Without some IT oversight and management, employees can easily download viruses, expose sensitive information, and place your entire network at risk.
- Wireless routers: Often overlooked as a security risk, wireless routers are often treated as consumer devices. When set up improperly, they become a great stepping stone for hackers to enter your systems.
- Printers and copiers: It’s easy to think of printers and copiers as machines that only perform a few basic tasks. However, modern printers and copiers connect to the internet, offer wireless capabilities, and save scanned electronic images. As hackable devices, printers and copiers can allow a cybercriminal to see all documents you print and scan if you fail to secure these devices.
5. People
No matter what IT magic you perform on your hardware, software, systems, and network, one error made by a person can mess it all up. According to a study by Data Center Knowledge, “‘Employees lacking security awareness’ was named as the single greatest threat to security by 50 percent of respondents. The next biggest threat, cybercriminals, was far behind at just 18 percent.”
Employees need training that focuses on key areas where they are likely to make errors that open your organization up to cyber attackers:
- Cyber hygiene: Employees need to become savvier online so that they aren’t as likely to click on malicious links or attachments. We like to encourage clients to be click cautious, not click curious.
- Scams: This includes everything from email phishing where scammers try to trick employees into giving up sensitive information to social engineering where scammers try to get something like a password from an employee over the phone.
- Policies and procedures: Employees need to understand the importance of following security policies and procedures such as mandating that vendors follow a specific process to receive online payments or requiring employees to reset a password by a secure process online rather than sharing a new password over the phone.
Takeaway – Do These Things Today
If the following six items are not currently part of your cybersecurity plan, then these will be the most impactful actions you can take today to improve your defenses.
- Get an acceptable use policy in place (you can find some online for free)
- Implement user awareness training
- Implement endpoint detection and response
- Make 1000% sure your data is backed up EACH night and automatically sent offsite
- Implement a password policy
- Implement Multi-Factor Authentication
Creating strong, clear, detailed security policies and then following these policies will go a long way toward helping you eliminate security vulnerabilities. Otherwise, security vulnerabilities will pop up that threaten your ability to comply with the law, increase your chance of a cyber attack, and disrupt your operations for days, weeks, or months.
Need help assessing your current cybersecurity policies?
Reach out to us today and we can schedule an initial call to discuss your current cybersecurity strategy and where you want to go.