As business leaders learn more about cybersecurity, there will still inevitably be mistakes. The important thing is to keep learning and review practices regularly.
In a world where cybersecurity is becoming more widely appreciated by business owners and employees alike, there is still a learning curve. No matter what area of business is being discussed, when it’s something new, items are often missed simply due to lack of knowledge. Cybersecurity is no different, but some overlooked practices are worse than others. Here are the top three worst security misses we have seen, and why they are bad:
Giving everyone in a division a cloud account
Identity Access Management (IAM) is a very important item for business leaders to pay attention to. This is how you determine who needs access to which accounts. When determining who needs access, the answer is almost never EVERYONE. Least privilege should always be employed, meaning that only people who need access to a system in order to do their job should have it. Your janitor or office cleaner does not need access to your cloud accounts or servers. In fact, the only systems they might need access to are ordering supplies and timekeeping.
On top of NOT giving everyone access to every single system, their passwords need to be strong. Passwords should be a minimum of 16 characters, or if your minimum is less than that, then passwords should be changed every 90 days and be unable to be repeated. Two-factor authentication is always a good idea as well because if credentials do get stolen, this could alert the user to someone potentially trying to use their information to log in. Using Passw0rd1, [email protected] or any variation is an incredibly bad idea, especially as default passwords.
Not requiring authorization to use an application
This is a massive problem with huge cybersecurity consequences. It doesn’t matter what internal system it is, every single person should have a dedicated sign-on. Password recommendations are the same as above, and it is important to still remember that not everyone needs access to every system. If it’s not essential to an employee’s job function, do not grant access. Not requiring a log in for an application means that a bad actor can enter the building and on any machine access that system. Once that system is accessed, it’s free reign for the attacker to do whatever damage they came to do.
The biggest takeaway from this one is to remember that all an attacker needs is a way in. If you provide that by allowing just anyone to access an internal system, you are jeopardizing the entire business.
Taking social security numbers for marketing gimmick and not protecting them
First, this is a completely unnecessary practice. If the gimmick you are running ends with monetary value that needs tracking, get the social security number of the receivers only when needed for tax purposes. But there is no reason to collect the social security numbers for everyone participating, you have no need for them. Stop collecting information you don’t need.
Second, if you decide to collect social security numbers for ANY reason, you cannot just throw them on a public bucket. They MUST be protected, encrypted, isolated away from the rest of the network and the broad internet. If those numbers become exposed, your business is on the hook for any damage done with them.
Your mistakes are a hacker’s best friend
In all of these examples, the mistake made was due to ignorance, lack of knowledge, by business leaders. This is not to shame them, but to bring awareness to other business owners on problems they may have under their noses that they don’t even know about. With cybersecurity coming to the forefront of the news on an almost daily basis now, it is important for business leaders to know their own security practices and to ensure they are solid.