15 Major Reasons Businesses' Security Gets Compromised

Updated: August 22, 2012

In a world of ever-advancing technology and development, many company heads often get lost in the bustle and get swept up in the sea of buzzwords that happen to be popular at any given moment. They forget about the simple, fundamental information security risks present in everyday business; the security holes that constantly lead to breaches, that invariably lead to loss. These are 15 major reasons that many businesses' security gets compromised today -- and they're all preventable.

Out of Date Software

Often the employees will actually try to keep their software updated, but are thwarted by overactive security protocols that don't allow them to do so. Companies tend to neglect simple software updates, and over time this can and will develop into a massive security hole. Software should be checked for updates on a daily basis -- it only takes a couple of minutes for most systems.

Refusal to Upgrade to Newer Software

While failing to update software is an issue of negligence, refusing to upgrade that same software to newer, better products is just as heinous an error. Not only are many security risks due to vulnerabilities in specific applications, but there is also productivity to take into account. Some products are simply better than others, and many are cost-free (such as web browsers).

Poor to Non-Existent Spam Filtering

It's frightening to see how many businesses still go on today with a total lack of proper spam filtration, and many that are supposedly protected aren't far off. With products available like Google Mail for Business, there's no reason to allow spam to continuously threaten your business.

Users Opening Unsafe Email Attachments

While threats like this can be mitigated by way of effective anti-virus and anti-malware software, they're still threats, nonetheless. Allowing employees to open and run executable files sent to them from external sources is always a bad idea.

Employees Taking Company Data Home

The very worst security breaches in history have been at the hands of trusted employees. Many companies think it common practice to allow their people to take their work home with them, and there is no end to the problems with this practice. People can be compromised, and while they may work for the company, their families don't, and even an employee's child can gain access to sensitive information in mere moments alone with a company computer.

Loss of Data Storage Devices

Even assuming that employees will act in the best interest of the company, and protect the data they take home with them, there is no accounting for crime, disaster, or accidental loss. Cars are often broken into for the laptops contained within, and many USB thumb drives have met their end in a cross-walk, or been found by unwary bus-travelers, after having fallen out of their owners' pockets. Even if thought destroyed, devices can often yield information to data-recovery efforts. Company data is best left on company grounds.

Loss of Controlled Access Badges

Companies smart enough to secure their buildings often let down their guard after the fact. Unfortunately, controlled access becomes easy access when a company no longer monitors who uses the access badges to gain entry. Loss of these badges needs to be kept to a bare minimum, and employees need to report these losses swiftly to ensure not only information security, but physical security of the company assets as well.

Unfettered Personal Web-Browsing

Much like allowing employees to download and open executable files in email attachments, uninhibited web-browsing is a huge hole in information security for any company. Firewalls should be set up to disallow access to sites known to be malicious, or deemed too risky for the users to behave responsibly. Many products are equipped with self-updating lists of these threats.

Poor Physical Security for Equipment

This can be as simple as locking the door to the server room, or in many cases, having a separate, locked, server room. Many companies fail to understand the importance of maintaining the physical security of their data as well as securing the data itself. For many of these companies, it can be easier for an individual to simply enter the building and interface with the system in person than it would be to try to gain access through the network.

Outsourced IT Support

Many companies outsource their IT support staff, not because it's more efficient but because it's more cost-effective. This is akin to handing not just the keys to your house over to strangers, but all your bank account information too. There is little to no accountability when outsourcing, and when dealing with your companies information security that's an unacceptable risk.

Employees Not Trained in Proper Information Security Practices

One of the biggest mistakes companies still make today is one that can be easily remedied by proper employee training and better education. Teaching employees exactly why they must follow information security protocols can help ensure that they follow those protocols when the boss isn't looking.

Employees Passwords and Screens Not Policed

Unfortunately, even with good instruction on information security, employees will always relax over time. Companies need to make sure that their employees are always sure to mind the absolute basics; locking their screens when away from their desk, and using strong passwords. They need to be required to change their passwords frequently, as well -- at least every 90 days.

Off-Site, 3rd Party Data Storage

We're not about to say that off-site, 3rd party datacenters are a bad thing. Companies should be mindful, however, that using such facilities is inherently a risk, because their data is no longer in their hands. They should be sure to choose which datacenters to entrust their data to very wisely, since it takes only one criminal or negligent employee at the datacenter to put multiple companies at risk all at once.

Improper Disposal of Information

Most companies are under the impression that they have a paper-shredding policy in effect, when in reality their employees rarely shred anything due to the extra work involved to do so. Companies should police their employees to ensure that no paper is ever disposed of without at least shredding it first. This ensures that no sensitive information can ever be recovered from the trash bins or disposal facilities.

Lax File Permissions

One of the most-often overlooked information security practice is proper file permissions. There really isn't any reason for most employees to be able to change, or even read, a great portion of data. This data should be fundamentally protected by limiting which users have read/write access rights to it. For the great majority of files, that means only superuser accounts should have access.

Featured Research