<img src="https://secure.leadforensics.com/32105.png" style="display:none;">

The 6 Biggest Business Security Risks - Solved!

6-biggest-security-risks-solves

Many companies are still not adequately protecting their data from security breaches. The following are the six biggest risks to the security of your company’s data, and the solutions that minimise risk of exposure. 

1. Third Party Services

As technology becomes more complex, support and maintenance of specific systems are often outsourced to specialist providers. Remote access tools that connect these services to your company network aren’t guaranteed to be secure. Remote vender access channels can be exploited if a contractor’s login credentials are stolen, even if the contractor has no malicious intent.

Third party services are often unvetted and may not be using security best practices. A data breach is likely to come via insecure low level access, pivoting to other devices on the network.

So while critical servers may be kept clean of Internet malware, there is a vulnerability if less secure systems are not properly segmented.

The Solution

  • Verify that data security best practice is used for remote access to third party services
  • Enforce multi-factor authentication on third party sites
  • Ensure unique log-in credentials are required for each user of third party services
  • Set least-privileged permissions by default
  • Log a complete audit trail of all remote access activity
  • Monitor failed login attempts
  • Set-up immediate red flag alerts for when an attack is detected
  • Disable third party accounts when they are no longer needed.

2. Cloud Apps

Company data stored in a third party cloud is automatically a risk, as the practices of the third party are outside of your control. Cloud resources are shared with other users, and data is transferring over a network you do not manage. If a cloud facility is compromised, your data could be breached.

The Solution

  • Ensure any cloud apps you use have strong encryption, such as AES 256-bit, at data level in the cloud
  • Encryption keys for these services should only exist within your environment, so that even data on the public cloud can’t be accessed by third parties.

3. Unpatched Devices

Software or firmware employed by network devices like servers, printers, and routers can become an access point for attackers if a known security vulnerability is not patched. A patch may not be available for a vulnerability that has only recently been discovered, and some hardware has no system for updating firmware.

Providers will often end support for obsolete systems, and network servers running on unsupported systems are a prime target for hackers. 

The Solution
  • Use a patch management programme to ensure software and devices are kept up to date
  • Use vulnerability management technology to reveal what systems are outdated on your network
  • Employ a policy that calls for equipment to be updated or patched after a certain amount of time, or taken offline
  • When it is announced that a critical system you use will no longer be supported, plan and implement a migration strategy, prioritising high risk systems.

4. Bring Your Own Device

A study by BT showed that 41% of UK organisations are affected by mobile device security breaches. BYOD or corporately-owned personally-enabled devices are used for work purposes by 95% of organisations in the UK.

If an unsafe consumer app installs malware or other trojan software on a mobile device, the corporate network or VPN is exposed to an attack behind the firewall. Data theft is also more likely if employees use their own devices for work and don’t keep their personal mobile security up to date with the company policy.

The Solution
  • Make your BYOD policy clear and visible
  • Use containerisation to encrypt corporate data and protect access to company systems, while respecting the privacy of users' data.
  • Consider using hybrid clouds to manage devices and the sharing of data in a controllable environment separate to the user’s consumer apps and private data.
  • Monitor emails and documents shared by personal mobile devices to prevent data loss risk, and identify exposures if a breach occurs.

5. Lack of Training/Mistakes by Employees

Many employees are not trained in security best practices, or are trained once but not kept up-to-date. Even computer literate employees often have weak passwords, click on links in baiting emails, open attachments from unknown senders, or visit unsafe websites. 

It’s impossible to eliminate careless mistakes, but procedures can be put in place to prepare for and minimise them.

The Solution
  • Use a Single Sign-On/Password Management system to ensure weak passwords are not in used by employees for business accounts
  • Train employees on data security best practices, including identifying and avoiding keylogger and phishing scams
  • Update training periodically and provide resources for ongoing support
  • Include validated encryption in your security strategy, so that if a device is exposed, the decryption key for company data can be selectively wiped
  • As much as possible, use multifactor authentication such as one time passwords, smart cards, RFID, or fingerprint and retina scanning to minimise the risk of a data breach.

6. Disgruntled Employees

Internal attacks from unhappy employees, or ex-employees, represent a serious threat to your data. The IT team, in particular, often have administrative access to a wide number systems, networks and data centres.

The Solution
  • Manage and monitor an inventory of accounts with security privileges
  • Create protocols that ensure that the creation of new privileged accounts is logged in the inventory
  • Establish a process for reviewing accounts and credentials regularly to remove employees who have left the company or changed role
  • Remove access to accounts and credentials as a priority on dismissal on employees 
  • A Single Sign-On solution facilitates the above processes.

If you believe your company may be at risk of data breach based on one of these threats:

  1. Conduct a risk assessment to work out where your most valuable data is stored, and what procedures and controls can be put in place to keep it protected
  2. Put together a thorough incident response plan that covers disaster recovery and business continuity, with input from and instructions for IT, legal, PR and management
  3. Test the incident response plan, and update it periodically.

Have a question about your business security? Get free advice from our Identity Experts.

Back to Blog

Related Articles

What is a zero trust model and why should you adopt it?

Zero Trust is a security model which states that actors and systems should not be automatically trusted solely because they exist within a security perimeter and...

Local Authorities £85M from UK Government for Cybersecurity

The inaugural Government Cyber Security Strategy plans to allocate £85m of investment in cybersecurity to local authorities.

Leaders need to take the passwords away from employees

The reuse of passwords is a ubiquitous problem. In many ways, it’s unsurprising that employees so often resort to using the same password more than once, given that...