As 2018 draws to a close, it’s time to reflect on the strides the cybersecurity industry made over the past year, and how far companies around the world still have to go to improve their security posture. Throughout the year, businesses were plagued by cybersecurity risks and hit with massive data breaches. In the lead-up to the holiday season, security leaders across industries are wishing for a quiet 2019 with no negative data breach headlines.
5 Cybersecurity Missteps That Put Enterprises at Risk in 2018
What lessons did we learn in 2018? And as we look forward, what best practices can we implement to improve defenses in the new year? We asked industry experts where they observe the worst security practices that still leave enterprises exposed to cybersecurity risks, and they offered advice to help companies and users enjoy a merrier, brighter, more secure 2019.
1. Poor Password Policies
Although passwords are far from perfect as a security mechanism, they are still used pervasively in the enterprise and in personal life. Yet password policies are still rife with problems around the globe.
Idan Udi Edry, CEO of Trustifi, said the most foundational — and also most disregarded — cybersecurity practice is maintaining a strong password.
“A unique password should be utilized for every account and not reused,” said Edry. “It is important to update passwords every 30–90 days. Passwords should never include a significant word, such as a pet’s name, or a significant date, such as a birthdate.”
Deploying devices and appliances and then leaving default passwords in place is also still a shockingly common practice. A threat actor with knowledge of a manufacturer or service provider’s default password conventions can do a lot of damage to an organization with factory settings still in place.
Edry advised enterprises to employ two-factor authentication (2FA) to add more security to their access strategy. Douglas Crawford, digital privacy adviser for BestVPN.com, meanwhile, recommended encouraging employees to use a password manager.
“It is hard to remember strong passwords for every website and service we use, so people simply stop bothering,” said Crawford. “Use of ‘123456’ as a password is still scarily common. And then we use the same password on every website we visit. This [is] particularly irksome, as this entire security nightmare can be easily remedied through use of password manager apps or services, which do the heavy lifting for us.”
2. Misconfigured Cloud Storage
Earlier this year, researchers from Digital Shadows uncovered more than 1.5 billion sensitive files stored in publicly available locations, such as misconfigured websites and unsecured network-attached storage (NAS) drives.
“Unfortunately, many administrators misconfigure [these buckets] rendering the contents publicly-accessible,” wrote Michael Marriott, senior strategy and research analyst with Digital Shadows.
The information uncovered included a treasure trove of personal data, such as payroll, tax return and health care information — all available to prying eyes thanks to overlooked security best practices in cloud storage.
“With the rise of mobility and cloud usage in enterprises, one of the worst security practices is leaving critical cloud services and SaaS applications open to the internet,” said Amit Bareket, co-founder and CEO of Perimeter 81.
It’s time to get proactive to analyze potential exposures in storage and then devise a plan to address cloud data risks to your organization. It’s also important to remember that with any connected service, it is often better not to deploy than to deploy insecurely.
3. Ineffective Cyber Awareness Training
Security begins and ends with your employees — but how much do they know about security? Specifically, how much do they know about the risks they are facing and how their actions could set your business up for a potential incident?
“At this time of the year, it’s critically important to ensure proper employee awareness of the risks related to travel,” said Baan Alsinawi, president and founder of TalaTek, a Washington-based risk management firm. “Using public Wi-Fi at airports or hotels to access corporate data, possible loss of personally-held devices such as an iPad, iPhone or corporate laptop, especially if not encrypted, talking to strangers about work issues or projects over a glass of wine can expose confidential information.”
Of course, a robust awareness program needs to be in place year-round. Data from London-based advisory and solutions company Willis Towers Watson found that employees are the cause of 66 percent of all cyberbreaches, either through negligence or deliberate offense.
Employees should be regularly educated on phishing, social engineering techniques and other attack vectors that could put corporate data at risk. If awareness training isn’t part of your security strategy, 2019 is the time to learn what an effective awareness program looks like and implement one to promote security best practices in your organization.
4. Poor Oversight of Third-Party Cybersecurity Risks
Third-party vendors and partners can be a source of compromise if criminals can access your organization’s sensitive information through their poorly secured systems. If you’re working with third-party vendors and partners, your security is only as good as theirs. If their systems are breached, your data is also at risk.
“Attackers seeking access to hardened company systems can pivot to breaching an integrated third party, establishing a beachhead there and then leveraging the trust implicit in the integration to gain access,” explained Ralph R. Russo, director of applied computing programs and professor of practice of IT management and cybersecurity at Tulane University School of Professional Advancement.
In 2019, evaluate the state of your third-party risk management. Make it a priority to identify gaps that may put you at risk if you are working with less-than-secure vendors. Implement a vigorous vetting process to determine the security level of your trusted partners.
5. Lack of an Incident Response Plan
A formal, regularly tested cybersecurity incident response plan is essential, yet many organizations continue to operate without one. In fact, 77 percent of companies do not have any formal plan.
Without a written and tested incident response plan, you’re unprepared for the worst-case scenario. It is not enough to focus on prevention; it is essential to establish a comprehensive incident response plan that is clear, detailed, flexible, includes multiple stakeholders, and tested and updated regularly.
Improve Your Security Posture in 2019 and Beyond
If your organization engages in any of these poor practices, it may be time to brush up on your basic cyber hygiene best practices. By following the recommendations outlined here, you can confidently resolve to close gaps in risk mitigation and establish more effective strategies to improve your company’s security posture in 2019 and beyond.