In a world of ever-advancing technology and development, many company heads often get lost in the bustle and get swept up in the sea of buzzwords that happen to be popular at any given moment. They forget about the simple, fundamental information security risks present in everyday business; the security holes that constantly lead to breaches, that invariably lead to loss. These are 15 major reasons that many businesses' security gets compromised today -- and they're all preventable.
Often the employees will actually try to keep their software updated, but are thwarted by overactive security protocols that don't allow them to do so. Companies tend to neglect simple software updates, and over time this can and will develop into a massive security hole. Software should be checked for updates on a daily basis -- it only takes a couple of minutes for most systems.
While failing to update software is an issue of negligence, refusing to upgrade that same software to newer, better products is just as heinous an error. Not only are many security risks due to vulnerabilities in specific applications, but there is also productivity to take into account. Some products are simply better than others, and many are cost-free (such as web browsers).
It's frightening to see how many businesses still go on today with a total lack of proper spam filtration, and many that are supposedly protected aren't far off. With products available like Google Mail for Business, there's no reason to allow spam to continuously threaten your business.
While threats like this can be mitigated by way of effective anti-virus and anti-malware software, they're still threats, nonetheless. Allowing employees to open and run executable files sent to them from external sources is always a bad idea.
The very worst security breaches in history have been at the hands of trusted employees. Many companies think it common practice to allow their people to take their work home with them, and there is no end to the problems with this practice. People can be compromised, and while they may work for the company, their families don't, and even an employee's child can gain access to sensitive information in mere moments alone with a company computer.
Even assuming that employees will act in the best interest of the company, and protect the data they take home with them, there is no accounting for crime, disaster, or accidental loss. Cars are often broken into for the laptops contained within, and many USB thumb drives have met their end in a cross-walk, or been found by unwary bus-travelers, after having fallen out of their owners' pockets. Even if thought destroyed, devices can often yield information to data-recovery efforts. Company data is best left on company grounds.
Companies smart enough to secure their buildings often let down their guard after the fact. Unfortunately, controlled access becomes easy access when a company no longer monitors who uses the access badges to gain entry. Loss of these badges needs to be kept to a bare minimum, and employees need to report these losses swiftly to ensure not only information security, but physical security of the company assets as well.
Much like allowing employees to download and open executable files in email attachments, uninhibited web-browsing is a huge hole in information security for any company. Firewalls should be set up to disallow access to sites known to be malicious, or deemed too risky for the users to behave responsibly. Many products are equipped with self-updating lists of these threats.
This can be as simple as locking the door to the server room, or in many cases, having a separate, locked, server room. Many companies fail to understand the importance of maintaining the physical security of their data as well as securing the data itself. For many of these companies, it can be easier for an individual to simply enter the building and interface with the system in person than it would be to try to gain access through the network.
Many companies outsource their IT support staff, not because it's more efficient but because it's more cost-effective. This is akin to handing not just the keys to your house over to strangers, but all your bank account information too. There is little to no accountability when outsourcing, and when dealing with your companies information security that's an unacceptable risk.
One of the biggest mistakes companies still make today is one that can be easily remedied by proper employee training and better education. Teaching employees exactly why they must follow information security protocols can help ensure that they follow those protocols when the boss isn't looking.
Unfortunately, even with good instruction on information security, employees will always relax over time. Companies need to make sure that their employees are always sure to mind the absolute basics; locking their screens when away from their desk, and using strong passwords. They need to be required to change their passwords frequently, as well -- at least every 90 days.
We're not about to say that off-site, 3rd party datacenters are a bad thing. Companies should be mindful, however, that using such facilities is inherently a risk, because their data is no longer in their hands. They should be sure to choose which datacenters to entrust their data to very wisely, since it takes only one criminal or negligent employee at the datacenter to put multiple companies at risk all at once.
Most companies are under the impression that they have a paper-shredding policy in effect, when in reality their employees rarely shred anything due to the extra work involved to do so. Companies should police their employees to ensure that no paper is ever disposed of without at least shredding it first. This ensures that no sensitive information can ever be recovered from the trash bins or disposal facilities.
One of the most-often overlooked information security practice is proper file permissions. There really isn't any reason for most employees to be able to change, or even read, a great portion of data. This data should be fundamentally protected by limiting which users have read/write access rights to it. For the great majority of files, that means only superuser accounts should have access.
In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more
Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more
For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more
With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more