Ten Common Information Security Mistakes to Avoid
Here are ten all-too-common information security risks to avoid:
1. Confusing compliance with cyber security.
Another risk businesses have to deal with is the confusion between compliance and a cyber security policy. Ensuring compliance with company rules is not the equivalent of protecting the company against cyber attacks. Unless the rules integrate a clear focus on security, of course. Enterprise risk management requires that every manager in the company has access to the parts of the security system that are relevant to them. Security is a company-wide responsibility, as our CEO always says. As a result, managers (and everyone else) should oversee how data flows through the system and know how to protect confidential information from leaking to cyber criminal infrastructure.
" Most companies are still not adequately prepared for – or even understand the risks faced: Only 37% of organisations have a cyber incident response plan." Source: PwC Global Economic Crime Survey 2016
Clearly, there is plenty of work to be done here.
2. Lack of a recovery plan
Being prepared for a security attack means to have a thorough plan. This plan should include what can happen to prevent the cyber attack, but also how to minimize the damage if is takes place. Unfortunately, the statistics reveal that companies are not ready to deal with such critical situations. Failing to back up often enough - While the risk of not backing up regularly seems obvious, most businesses and individuals still do not back up often enough. Not only do computers eventually fail, but ransomware that encrypts data is a growing problem. Be prepared.
3. Failing to encrypt sensitive data - Every time I think that society is finally coming close to understanding and appreciating the need for encryption, I hear of some laptop stolen with sensitive information on it that was not encrypted. Encrypt sensitive data. And if you are not sure something is sensitive and requires encryption, choose to encrypt.
4. Failing to educate employees or children about the importance of information security and about relevant risks – It is hard, if not impossible, for people to avoid risky behavior if they don’t know right from wrong. Education and training are a must. Many breaches begin with oversharing on social media and resulting spear phishing attacks – so train people accordingly.
5. Using weak “security questions” to authenticate people - We have all been asked to provide the last four digits our Social Security Numbers, our mothers' maiden names, the color of our first car, or other answers as a method for proving that we are who we claim to be. Let me be blunt: If you are using this type of approach for authenticating people you should immediately work on transitioning to a better method of confirming identities. The answers to the aforementioned types of questions can often be found in under a minute by unauthorized parties; the data may have leaked in recent breaches, been shared with the public on social media, or be easily found in searchable public records. Even when such data is not immediately obtainable, criminals can usually obtain it pretty easily through social engineering. Also, keep in mind that the answer to any “security question” is simply a password for which the party posing the question has narrowed down the password range to a small number of choices and provided a hint to the person being asked. How many hits do you think I would get if I simply guessed “red” as the answer to the question “What was the color of your first car?”
6. Underestimating the level of security expertise needed – I have seen countless situations in which managers – even technical managers – did not fully grasp the magnitude of the need for security experience and expertise. Sometimes it’s a matter of allowing a generalist to do work that requires a specialist, sometimes it is ignoring the need for security altogether. It is scary how many software development projects, for example, do not involve security professionals from the get go – a mistake that can lead to serious security risks down the line. Furthermore, not all security professionals have the same levels of knowledge; formal certifications can be valuable in addressing this risk by providing some level of assurance of minimum competency levels.
7. Requiring overly complex passwords - We have all heard the advice that in order to protect our information and online accounts we should create and use "complex" passwords that include a mix of upper case and lower case letters, numbers, and special characters. Many businesses have taken this advice to heart and now require that passwords to their systems be quite complicated. Often, however, creating or requiring complex passwords worsen security due to human limitations: complex passwords are more likely to be written down than weaker passwords or than even stronger, but less complex, passwords. Furthermore, many complex passwords are not as random as people might suppose; humans have a tendency to model complex passwords after certain patters – and hacking tools already exploit that weakness.
8. Failure to cover cyber security basics
The common vulnerabilities and exploits used by attackers in the past year reveal that fundamental cyber security measures are lacking. Cyber criminals use less than a dozen vulnerabilities to hack into organizations and their systems, because they don’t need more.
For example, something as simple as timely patching could have blocked 78% of internal vulnerabilities in the surveyed organizations. And the same goes for external security holes.
Moreover, relying on antivirus as a single security layer and failing to encrypt data is an open invitation for attackers. It just screams: “open for hacking!”
World Wide Web exploits are multiplying aggressively, so protecting your company also entails keeping an eye out for new dangers. It’s not an easy job, I know.
9. Holding on to a reactive mindset
Unfortunately, this is a mistake that most organizations still make.
While trying to pull together as many resources possible and constantly prioritizing what to do next, decision makers often focus only on the reactive side of information security. This perspective is still commonplace, but the current state of affairs clearly shows that it’s not a viable strategy anymore. Investing in proactive cyber security may benefit you in aspects you’re already familiar with, but in new ways as well. Here are some of the benefits:
Proactive information security can help you mitigate risks before they turn into security breaches;
It enables you to comply with legal requirements ;
It helps strengthen the customers’ trust in the organization;
It proves to investors, shareholders and other stakeholders that the organization’s management has a clear vision and is prepared to deal with cyber risks and attacks;
It helps build trust within the organization, among employees, who can rest assured that the company can resume to business as usual after a cyber attack happens.
When you decide to plan ahead for your business’s cyber security, you set your own priorities.
If, instead, you stick to the reactive way of doing things, the attackers will set your agenda. I’m sure you already know how powerless it can make you feel when someone else calls the shots on critical matters.
What’s more, being proactive about information security is cheaper. So you can stick to your budget and keep your company’s data safe at the same time. Even EUROPOL highlighted this in their latest Internet Organised Crime Threat Assessment (2016 edition):
" When it comes to addressing volume crimes, investing resources in prevention activities may be more eﬀective than investigation of individual incidents."
The good news is that there’s an industry-wide movements away from reactive solutions and toward preventive measures.
10. Failing to properly plan – You cannot properly decide what security technology to purchase and deploy, or what services to acquire, or what policies to create and enforce, or what skill sets you need within your team, without first doing a risk assessment. Many smaller businesses don’t invest in one (or do so only once) – being penny wise can later prove to be pound foolish.
It takes time and involvement to strengthen your company’s defenses against cyber security risks. However, this process can help your organization maintain shareholder value and even achieve new performance peaks.
It may take some time to create a cyber security policy, train your employees and implement it in all the branches of your company. But the results are worth it! Being thoroughly prepared for the worst case scenario can be a competitive advantage.
You’ve already taken the first step by reading this article. Now act on what you’ve learned.
About the Author
Kijjambu Ouma Moses is the Systems Engineer at IctTel Uganda , IT support officer and also Works at posta Uganda, programmer/information systems designer, a renowned cyber security thought leader, a CISA Student 2017 and He hold Certificate in communication and network security, BIT, and DIT, indicating that he possesses a robust knowledge of information security that is both broad and deep.