Companies often think they’re doing enough when it comes to their IT security strategy, only to find out too late that they’ve left a big area of vulnerability.
One example is the breach of Colonial Pipeline last year in the U.S. This major pipeline was shut down for nearly a week due to a ransomware attack that exploited an unused VPN account that did not have multi-factor authentication enabled.
This is just one example of a common cybersecurity mistake. Here are several others that your company needs to avoid to reduce the risk of falling victim to a cyberattack.
Not Implementing Multi-Factor Authentication (MFA)
Credential theft has been on the rise for a few years. This is because most business data and processes are now cloud-based, and the easiest way to get to that data is through a legitimate user login.
According to IBM Security, compromised credentials is the #1 cause of data breaches globally.
One of the biggest mistakes companies make is to not protect those accounts with multi-factor authentication (MFA). Also known as two-step verification, this safeguard requires a code to be entered at the time of login. It may take users an extra couple of seconds, but the boost in security is well worth it.
MFA has been found to block 99.9% of fraudulent sign-in attempts.
Letting Employees Use Any Cloud Apps They Like
There is a cloud app for everything these days and businesses don’t always offer employees the tools they think they need. With the rise of remote workers, the use of shadow IT (unapproved cloud applications) has become a major issue for cybersecurity.
Too many small businesses just let their employees use the apps they want without having any type of cloud use policy in place. This puts them at a major risk of data leakage, not to mention unnecessary cloud costs that can come when you have different apps being used for the same thing.
It’s important to regulate the apps employees are allowed to use with business data so you can ensure they:
- Meet your security standards
- Meet any compliance requirements
- Are integrated properly with your other cloud processes
- Are being properly backed up
- Are being monitored for any unauthorized access
Not Using an Endpoint Device Management Application
Companies have multiple endpoints and each of these can be an entry point for a hacker to gain access to the network. Long gone are the days when all endpoints would be in the same building and on the same Wi-Fi network.
Today, companies have many of their endpoint devices being used in employee homes and while on the go (smartphones, laptops, tablets). IoT devices are also multiplying and many of them aren’t being included in monitoring and update management strategies yet.
An endpoint device management application is one of the security essentials every office should have. It allows you to monitor device access to your assets and ensure no unauthorized devices are connecting to your systems or data.
Some of the capabilities of endpoint device managers include:
- Remotely manage software updates
- Grant and revoke device access to your business applications
- Remotely lock/wipe a lost or stolen device
- Apply company security policies consistently across all endpoints
Leaving Cloud Security Settings at the Default Values
In 2020, 39% of web application data breaches were due to misconfiguration of security settings. A common mistake that companies make is to get started in a new cloud application and just leave all the security settings at defaults.
The default settings in a cloud application may not be secure enough to properly protect your accounts and data. It’s important to work with an IT professional to review your cloud platforms and configure settings that make sense for your company’s security and compliance needs.
Ignoring the Problem with Password Security
Users are up to about 100 passwords that they must try to remember. Companies often tell users to create strong passwords for their logins and ensure they’re unique, ignoring the fact that most human beings can remember that many strong, unique passwords.
With credential theft now the main cause of data breaches, it’s vital that companies address the elephant in the room with passwords. This means putting comprehensive management systems in place that can accommodate the need to have strong passwords that are different for each account and the fact that employees have a lot of passwords.
One of the easiest ways to do this is by using a business password manager that acts as a vault for employee passwords. Employees only need to remember a single strong password to access all the others.
Not Testing Backup Recovery Regularly
Backing up your data is just half of the equation in a business continuity strategy. That data also needs to be restored quickly in the event of a data loss incident.
Many companies back up, but personnel never test their backup. So, when they’re hit with ransomware, business leaders often opt to pay the ransom even if they have a backup because they think it will be faster to get operations back up and running.
It’s important to regularly test data restoration to ensure that it’s complete and as fast as you need it to be.
Start The Year Right With a Cybersecurity Audit!
Are you making any of these IT security mistakes? PartnerIT can help your Ontario business with an audit of your current cybersecurity strategy and let you know any areas of risk, and how to address them.