Many companies are still not adequately protecting their data from security breaches. The following are the six biggest risks to the security of your company’s data, and the solutions that minimise risk of exposure.
1. Third Party Services
As technology becomes more complex, support and maintenance of specific systems are often outsourced to specialist providers. Remote access tools that connect these services to your company network aren’t guaranteed to be secure. Remote vender access channels can be exploited if a contractor’s login credentials are stolen, even if the contractor has no malicious intent.
Third party services are often unvetted and may not be using security best practices. A data breach is likely to come via insecure low level access, pivoting to other devices on the network.
So while critical servers may be kept clean of Internet malware, there is a vulnerability if less secure systems are not properly segmented.
- Verify that data security best practice is used for remote access to third party services
- Enforce multi-factor authentication on third party sites
- Ensure unique log-in credentials are required for each user of third party services
- Set least-privileged permissions by default
- Log a complete audit trail of all remote access activity
- Monitor failed login attempts
- Set-up immediate red flag alerts for when an attack is detected
- Disable third party accounts when they are no longer needed.
2. Cloud Apps
Company data stored in a third party cloud is automatically a risk, as the practices of the third party are outside of your control. Cloud resources are shared with other users, and data is transferring over a network you do not manage. If a cloud facility is compromised, your data could be breached.
- Ensure any cloud apps you use have strong encryption, such as AES 256-bit, at data level in the cloud
- Encryption keys for these services should only exist within your environment, so that even data on the public cloud can’t be accessed by third parties.
3. Unpatched Devices
Software or firmware employed by network devices like servers, printers, and routers can become an access point for attackers if a known security vulnerability is not patched. A patch may not be available for a vulnerability that has only recently been discovered, and some hardware has no system for updating firmware.
Providers will often end support for obsolete systems, and network servers running on unsupported systems are a prime target for hackers.The Solution
- Use a patch management programme to ensure software and devices are kept up to date
- Use vulnerability management technology to reveal what systems are outdated on your network
- Employ a policy that calls for equipment to be updated or patched after a certain amount of time, or taken offline
- When it is announced that a critical system you use will no longer be supported, plan and implement a migration strategy, prioritising high risk systems.
4. Bring Your Own Device
A study by BT showed that 41% of UK organisations are affected by mobile device security breaches. BYOD or corporately-owned personally-enabled devices are used for work purposes by 95% of organisations in the UK.
If an unsafe consumer app installs malware or other trojan software on a mobile device, the corporate network or VPN is exposed to an attack behind the firewall. Data theft is also more likely if employees use their own devices for work and don’t keep their personal mobile security up to date with the company policy.The Solution
- Make your BYOD policy clear and visible
- Use containerisation to encrypt corporate data and protect access to company systems, while respecting the privacy of users' data.
- Consider using hybrid clouds to manage devices and the sharing of data in a controllable environment separate to the user’s consumer apps and private data.
- Monitor emails and documents shared by personal mobile devices to prevent data loss risk, and identify exposures if a breach occurs.
5. Lack of Training/Mistakes by Employees
Many employees are not trained in security best practices, or are trained once but not kept up-to-date. Even computer literate employees often have weak passwords, click on links in baiting emails, open attachments from unknown senders, or visit unsafe websites.
It’s impossible to eliminate careless mistakes, but procedures can be put in place to prepare for and minimise them.The Solution
- Use a Single Sign-On/Password Management system to ensure weak passwords are not in used by employees for business accounts
- Train employees on data security best practices, including identifying and avoiding keylogger and phishing scams
- Update training periodically and provide resources for ongoing support
- Include validated encryption in your security strategy, so that if a device is exposed, the decryption key for company data can be selectively wiped
- As much as possible, use multifactor authentication such as one time passwords, smart cards, RFID, or fingerprint and retina scanning to minimise the risk of a data breach.
6. Disgruntled Employees
Internal attacks from unhappy employees, or ex-employees, represent a serious threat to your data. The IT team, in particular, often have administrative access to a wide number systems, networks and data centres.The Solution
- Manage and monitor an inventory of accounts with security privileges
- Create protocols that ensure that the creation of new privileged accounts is logged in the inventory
- Establish a process for reviewing accounts and credentials regularly to remove employees who have left the company or changed role
- Remove access to accounts and credentials as a priority on dismissal on employees
- A Single Sign-On solution facilitates the above processes.
If you believe your company may be at risk of data breach based on one of these threats:
- Conduct a risk assessment to work out where your most valuable data is stored, and what procedures and controls can be put in place to keep it protected
- Put together a thorough incident response plan that covers disaster recovery and business continuity, with input from and instructions for IT, legal, PR and management
- Test the incident response plan, and update it periodically.
Have a question about your business security? Get free advice from our Identity Experts.