When we think about cyber security risks, we always think about the external. As a society, we see countless hacking scandals facing major corporations across the world. As a marketplace, we are told the threat of DDoS, phishing and Man in the Middle attacks are ever evolving. To protect ourselves and our companies, we harden security measures, continually update firewalls and make sure our encryption solutions are constantly growing to stay current with external threats.
And yet, the one measure we never think about, ourselves, is the one factor that causes more security protocols to fail than any other. In this quick blog, we are going to speak to the best practices to avoid common self imposed cyber risks.
1.Lack of Education
Easily the largest reason why we are our own worst enemies is a lack of cyber security education. Employees come to work to accomplish goals, makes sales and increase productivity. They don’t come to work thinking about phishing scams or man in the middle attacks.
For this reason, the number one cause of all human cyber security concerns is lack of education. Due to this, every company should invest in internal risk prevention education for their employees. This means a full crash course in understanding the type of emails not to open, the type of links to avoid and the websites to steer clear of.
Cyber security attacks are going to happen. The last thing any organization needs is for an ill informed employee to open a spam email which allows a trojan to infect your network and crash your systems. Do yourself a favor and invest in employee cyber threat education.
2. Staying Up to Date with Security Patches
Here are some scary statistics for you:
- 12% of security attacks are a direct result of IT teams failing to keep up-to-date with application security patches.
- In 2014, an average of 19 application/program security new vulnerabilities were reported per day equating to a total of more than 7,000 new threats.
- Of the more than 7,000 new threats added in 2014, 24% were rated as extremely severe.
- Of the more than 7,000 new threats added, 80% target third party applications, 13% target operating systems and 4% target hardware devices.
- Beyond that, popular web browsers like Chrome, Internet Explorer, FireFox and Safari all rank in the top applications targeted by hackers. Of those, a 2013 Kapersky study found 93.01% of online attacks come from malicious URL’s and the Apple Safari showed the longest period of time between security patches – 54 days.
- Finally, the same Kapersky study found FireFox shows the highest amount of security vunerabilities (270), followed by Google Chrome (245), Internet Explorer (126), Safari (75) and Opera (11).
The bottom line here is staying current with security patches is best practice. There is a reason you pay an internal IT team or external MSP to handle your security efforts. If your network gets hacked because someone on your team forgot to stay current with a noted security patch, you have no one to blame except yourself and human error.
Some employees might be tricked into downloading a trojan virus due to lack of education. That can be forgiven. However, the IT team member who fails to update security patches on account of laziness, can not.
3. Effective Password Management
Passwords are as simple and fundamental as it gets. We have all seen the reports and heard the stories that the most popular passwords employees and individuals use are rudimentary simple. With passwords like “123456”, “password” and dates of birth, it isn’t hard for hackers to target a large sampling of employees and hack into a network by simply guessing the most popular passwords of the year.
As Gizmodo notes almost every year, when it comes to password security risks, we are all idiots.
For this reason, employees must be taught the following in terms of password security best practices:
- All passwords have to be complicated. This means they must be longer than 10 digits, must contain both upper and lower case letters, must contain multiple numbers and must contain multiple symbols. “Password” isn’t a strong password yet CPa3@847FyT2* is.
- All passwords have to be changed on a short term repeating basis. This means while CPa3@847FyT2* is a great password, it’s only useful for a limited period of time of roughly 45 days. All employees connected to a network must be prompted by their IT team to change their passwords with routine frequency to avoid any outsiders from guessing correctly and hacking into a network.
- All passwords must be stored in an encrypted, firewall protected server outside of your corporate network. This is done to make sure your DB server isn’t hacked and accessed if/when your overall network is compromised. It is up to your network admins to make sure your password DB server is safe and secure.
4. Network Access Protocols
Lastly, we want to talk about the error employees and companies make when employees access corporate data while outside the corporate firewall. No matter where you are, access into your network must be encrypted at point of entry, point of exit and throughout transit. All employees and IT team members must look at network access without the use of encrypted tunneling protocols – more commonly know as VPN – as a major security risk.
As a result, for any organization with employees working outside of the corporate firewall, a secure VPN must be established. To be fully secure, virtual private network access must be applied to every device seeking network access regardless of location.
To fully secure your network, companies have to make sure employees are accessing the corporate network by way of secure tunneling protocols provided by a third party provider – like Cisco and Citrix – or by their cloud hosting MSPs in charge of building, managing and securing said network.
As you can imagine, there are additional security practices to protect your network from human error, yet these four major points – employee education, staying current with patches, proper password management and VPN data access – are critical components to avoiding any mistakes.
For more insights on today’s cyber threats and how to protect yourself against them download the 2015 Alert Logic Cloud Security Report.