One of the top questions we are asked when discussing a new cyber security engagement is “What do you find are the most common weaknesses?”. Here are the top three that we see time and time again:
1) Lack of understanding of basic security best practices. It’s great to have the latest endpoint security devices, and maybe even some strong IT policy documents. But all the hardware and process in the world doesn’t do much if you fail to follow the basics. Among the most common issues we see are remote access set up to allow anyone from anywhere (sometimes set up years ago for a staff member or vendor who shouldn’t have access any longer), lack of lockout policy for accounts (especially Admin accounts), and no requirement to change user credentials at least every 90 days.
2) Not encrypting sensitive data. If we get past your endpoints as described above, we can often see sensitive data in clear text. We’re the good guys, imagine what happens when someone you didn’t hire to test your security gets in and sees the full list of your clients, patients, students, donors, employees. Did you know personal data is more valuable on the black market than a credit card number since it allows criminals to steal an identity and set up new credit accounts? You may catch a rogue charge on your Visa statement quickly, but how long will it take to realize someone opened numerous new accounts in your name if the bills aren’t even coming to you? How much will it cost your organization to pay for credit monitoring if this data was breached because you didn’t protect it? When in doubt, encrypt!
3) Not educating/testing staff on cyber security. One area where we have 100% success in gaining access to something we shouldn’t is via users. They mean well, but they need to understand that they should NEVER provide their credentials to anyone other than a known IT resource who is standing in front of them. Think you’re safe because your users have had security awareness training? Hardly. Our engagements show that it takes testing and sharing results with your team to reinforce the importance of what they have learned and how it really does matter and could mean the difference in being breached or holding off an attack.
How would you fare if tested in these areas? We can help you find out.
