Electronic Security Issues
Each year, internet security company Trustwave puts out its report into electronic security online. It won’t surprise anyone to learn the outlook isn’t getting any better. Hackers are “professional, organized, determined and innovative – meticulously evolving their techniques to ensure they remain steps ahead of their targets,” says the 2015 report. When security lapses by big corporations and the government are constantly being uncovered, it may seem like other businesses have no chance. But the majority of attacks online are still opportunistic, and doing the basics right protects against many, even most, threats. Trustwave identified six common factors that led to business data being compromised. We go through all six, and what you can do about them.
Weak Remote Security
Trustwave found that 28% of data breaches were due to weak remote security. Retailers are a favorite target of these attacks, because they have a lot of credit card data, and they depend on remote access software to connect their stores’ payment systems. 44% of compromises of point-of-sale systems were due to weak network security. “It’s impossible to ignore the irony that enterprise remote access services— technologies constructed to provide authorized employees and partners with managed, secure remote access to corporate networks and data— have become one of the most exploited IT resources in use today,” says Eric Parizo on TechTarget. Small and medium businesses often rely on third parties to secure their point of sale data. Those businesses need to be asking serious questions about third party data security (not least so that they comply with payment industry standards). Other measures companies can take to improve remote security include:
- Using a Virtual Private Network (VPN) to log in to office systems remotely
- Requiring 2-factor authentication for users logging in remotely
- Strengthening awareness of the risks of suspicious wireless hotspots.
Every business by now ought to know the rules for strong passwords: long, frequently changed, unique combinations of letters, numbers, and symbols that can’t easily be guessed. But Trustwave found 28% of attacks still exploit passwords that are all too predictable. The most common business passwords were, in order, Password1, Welcome1, and P@ssword1, Summer1!, and password. The trouble is that what is hard for password crackers to guess is also hard for humans to remember—especially when passwords change often. “In some ways, we’re impressed by the creative effort people put into avoiding strong passwords while still operating within the “complexity requirements” imposed on them,” says Amber Gott at LastPass. There are several ways to improve password strength in an organization. One is to use a password policy enforcer that rejects weak passwords and resets passwords periodically. For stronger security, cloud-based single sign-on tools, or enterprise-level password managers may be needed to replace large numbers of weak passwords no one remembers anyway. Finally, while it may make sense for individuals to write down their passwords if they can’t remember them, written passwords should never be left lying around in a business setting.
Weak Input Validation / Misconfiguration
Input validation attacks involve input into a program that is unexpected, causing the program to crash or run commands it shouldn’t. Misconfiguration occurs when firewalls and security measures are not properly configured or applied, leaving valuable information or network infrastructure unsecured, or poorly secured. These kinds of attacks are factors in 15% and 8% of compromised systems, respectively. Although these are very different kinds of attacks, we’ve lumped them together because they’re both very technical. One way to find these problems is penetration testing: in other words, getting someone to think like a hacker. Easy access to unsecured parts of a network, for example, shouldn’t be hard to expose if someone is looking for it.
You might think that businesses would be able to deal with known vulnerabilities. You would be wrong. 12% of businesses have no patch management strategy at all. Inconsistent patching is better than none, but it only takes one weakness for an attacker to get through. And 15% of compromises happen through a vulnerability for which a fix already exists. The reasons for not patching include:
- fear of glitches caused by updates
- devices that miss updates because they’re not connected to the network, like laptops
- a lack of buy-in for larger organizations.
These problems aren’t insurmountable, but they won’t solve themselves. Every company, large or small, needs a patch management process that identifies patches, prioritizes them, and moves to install patches regularly—and install critical patches as quickly as possible.
Finally, 6% of compromises involve a malicious insider. In many ways, these are the hardest attacks to guard against, because they involve employees who have been given trust. That doesn’t mean there’s nothing you can do, however. Writing in the Harvard Business Review, David M. Upton and Susie Creese recommend:
- Monitoring internet traffic for unusual activity
- Making sure employees don’t have access to anything they don’t need—and if they no longer need access to something sensitive, changing their permissions
- Being vigilant about contractors and third parties who have access to your system.
The truth is, as we’re learning painfully, no one is perfectly safe. But eradicating major weaknesses continues to be the easiest and best way to improve cybersecurity. E-Complish is an expert in payment data security: if you’re interested, you can learn more about our PCI-compliant payment solutions.