The Top 5 Cybersecurity Risks Your Company Hasn’t Considered
Exploring the leading cybersecurity threats facing business professionals today
There’s no getting around the prevalence of cybercrime today; it’s happening more and more, all across the globe. Even worse? The identity thieves and malicious attackers lurking behind the scenes are getting better at exploiting weaknesses to get their hands on confidential business data.
Understandably, business owners are often scrambling to ensure they’re doing enough to keep security tight. Maybe they invest in some “total solution” software or perhaps they overload a tech savvy employee with IT security work. Some business owners simply decide to roll the dice and hope for the best. Whether it’s doing too much or too little, business professionals often get caught up in a less-than-ideal approach to cybersecurity.
So, with all the horror stories in the headlines about companies and government agencies getting breached, what’s a business owner to do? The key is to remain focused and strategic so you can put together a level-headed plan. This involves taking a closer look at some of those gargantuan cyber threats we often forget about.
Narrowing Down the Doom: 5 Concrete Risks You Can Focus on Fixing Today
In order to develop a realistic and strategic approach to cybersecurity, you have to cut out all the noise. Put the headlines and your own fears to the side and try to stay focused on the things you and your staff can control. Think long and hard about the various ways cyberattacks could occur in your organization and then consider how you can work to close the gaps in each section.
Check out these Top 5 Security Risks that your organization must be carefully managing:
1. Your own team
No one likes to admit that internal risks exist, but the reality is that employees are the weakest link in the cybersecurity chain. Sometimes these internal threats are malicious, but most often it’s a matter of ignorance and carelessness. In fact, human error is the catalyst for the vast majority of cyber-attacks on businesses.
The reality is, an uninformed and unprepared team can have drastic consequences for your organization’s cybersecurity. You may have employees who are more likely to click a malicious link or download a bad file from a phishing scam. Perhaps your team receives fraudulent business email compromise (BEC) scams that seem legitimate. No matter the error, your workforce – when uninformed – can put your organization at serious risk.
How to tackle an uneducated team:
The best way to counteract employees who aren’t in the know is to teach them! Yes, this will require some investment of time and resources but in the long run, your organization will be stronger and more secure.
Find ways to get your team on board and help empower them to be cybersecurity superheroes. Help them determine how to identify threats and create an environment for open and honest communication about suspicious activity of any kind. With an informed and vigilant team, your cybersecurity woes will be reduced significantly.
Passwords are supposed to keep your organizational and employee data safe and secure. But when’s the last time your team changed their passwords? Is there a culture of password-sharing or posting in your office that threatens security? For that matter, have you and your team ever had an open conversation about choosing strong passwords? These are questions you must ask yourself in order to get on top of password malpractice.
How to manage password malpractice:
Like with any other part of your business, best practice for password management is to have standard operating procedures in place to ensure your team knows what is expected.
Make it a rule that passwords must be kept private and changed on a 30 or 60-day basis. Mark calendars with password change dates and makes it a group activity. Make it a rule that passwords must be unique and not repeats of old passwords or other accounts. Ensure there is a chain of command for access and control – superiors should never be sharing login credentials with employees – no matter how convenient. Finally, consider setting up two-factor authentication at all endpoints to add an extra layer of verification security.
2. Patch procrastination
In an increasingly digital workforce, hardware and software updates seem to pop-up daily. However, it is becoming blatantly clear that updated software and hardware are a critical part of maintaining strong cyber security. Why? Because updates very often include patches designed specifically to fix security holes or glitches. Who can forget the massive WannaCry scam from 2017? Even though a patch had been released in March, it had not been installed on countless machines who were then infected by the virus in May.
Even with the high profile WannaCry case, it is still common practice for many business professionals to avoid or put off software updates. Sometimes there is fear of change or increased technical issues once an update is installed – and this can happen. However, for the most part, updates are designed correctly and will work wonders by patching unseen security flaws. This can make a huge difference in keeping your network secure.
How to stop patch procrastination:
Again, schedule your updates and mark them on calendars as much as possible. Taking the time to make a physical note will help emphasize the importance of staying on top of patchwork.
Most importantly, when your machine gives you a reminder to install an update – install it! Get out of the habit of clicking “Remind Me Later” – your network will thank you. It’s not just about security either. Staying on top of updates and patches will help your systems run at optimal capacity at all times. Make updates to your new habit and explain this priority to other administrators.
3. Other organizations
This is perhaps the biggest risk that business professionals often forget. It’s not just your own cybersecurity practices you should be worried about – it’s the other companies you work with. Vendors, business partners, consultants – basically any organization that your company deals with can impact the safety of your business data.
Even if you have the strongest internal cybersecurity plan in place, if a third-party vendor has less than perfect cyber security practices, attacks could find a way to access your network. The recent Petya attack is a good example of this. The bottom line is that any company that you transmit data to and from is a potential vulnerability for your own network. The last thing you want is to invest time and money to keep your network secure, only to have it breached thanks to another organization’s lax policies.
How to counteract the poor cybersecurity practices of others:
First, its critical to make your own standards clear to the partners you’re working with. While you can’t force them to get smarter about their own security, letting them know that you take cybersecurity seriously right off the bat is a great way to be transparent and encourage their vigilance.
Second, there are technical tools available to help mitigate the risks involved with external vendors. Network segmentation or divided servers can help ensure vendors only access the necessary parts of your network and nothing else. This can be a great safeguard that will help mitigate the risk of vendor weak spots.
4. Bring Your Own Device (BYOD) chaos
Alright, it’s no secret that pretty much everyone has a computer in their pocket or purse these days. Between smartphones, tablets and laptops, taking your favorite machine on-the-go is now easier than ever. Understandably, this has translated to the workplace with the Bring Your Own Device (BYOD) craze. BYOD can be a convenient, cost-effective, and morale-boosting practice for small businesses.
However, there is a downside to letting endless personal devices through the doors and onto your business network. In fact, the security risks involved can be pretty serious. Simply put, personal devices likely do not have the same security standards and protocols that corporate devices do. This can leave your organization wide open and much more susceptible to hacks and data breaches.
How to balance BYOD benefits and risks:
Said it once and we’ll say it again: get policies and procedures on paper if your organization allows staff to bring in their own devices. Make sure your employees know the risks involved and come up with some detailed policies that will keep your network as secure as possible.
Make sure personal devices are only able to access the corporate networks through a virtual private network (VPN). Additionally, ensure that all employees have two-factor authentication set up on their accounts to maintain adequate verification. Just like all the other areas, proactive education is crucial. An informed team will make all the difference.
5. Putting Your Plan in Action: Consult the Pros if Necessary
Now that some of the basic groundwork has been laid, it’s time to ditch the hopelessness and procrastination and get your plan in action. There’s no denying that business professionals are constantly on-the-go, but making cybersecurity a top priority is a critical way to ensure your IT infrastructure is protected.
But hey, it can be a tough process to start. If you’re feeling lost or unsure, don’t hesitate to reach out to a local IT partner. A team of experts can help you begin thinking technically and strategically. It’s not just about calling someone in to fix the problem. The right IT partner will help empower you and your team so you’re thinking more like an IT expert.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.