What are the most common IT security risks in organisations and what can you do to avoid them?
IT security is one of the things that clients most often ask us about, so I thought I would put together a blog that outlines the main sources of risk to your IT infrastructure. I’m going to blog in more detail about each of these aspects over the next few weeks – here I’m kicking things off with an overview.
Poor password management
Poor password management remains the most significant data security threat to organisations. Poor password management can take several forms. The most common and probably easiest to address is the use of passwords that are too weak and hence easily guessable, either by another human or by a bot. Related to this is the risk that comes from reusing passwords in multiple places. When there’s a data breach then the list of usernames and passwords becomes available to scammers – such a harvested list of usernames and passwords can then be tested across a whole range of other websites and apps.
Another related risk comes from the sharing of credentials within organisations. If users are sharing their login details with others, then you rapidly lose control of who is able to access your systems, as well as losing the ability to properly audit who has done what whilst logged in.
Access to systems with this method can be mitigated somewhat by utilising 2FA (2 factor authentication) which makes it very difficult for attackers to get into user accounts even with weaker passwords. Combine a strong password policy with 2FA and it makes it almost impossible for attackers to get in.
Poorly designed or implemented network systems can contain holes that are easy for hackers to crawl straight through. This is the equivalent of double locking the front door whilst leaving the backdoor completely open. An example is the Hafnium exploit that I blogged about a few weeks back. Such vulnerabilities are a risk with any software or system that you install which is why it’s vitally important to keep on top of updates. The developers will release patches and updates to address security vulnerabilities as they become aware of them. If you don’t take advantage of these then you’re leaving yourself open to attack.
Good endpoint protection software that monitors for application vulnerabilities, alongside patch management are essential in today’s online world.
Malware is malicious software that is generally unwittingly loaded into your systems by staff members clicking on links in emails or visiting websites that they should not. Attempts to deploy malware via email links (‘phishing’) are getting much more sophisticated these days and even the most security aware person can sometimes be taken in. That’s why it’s vital to ensure that your staff are aware of the risks and understand how important it is not to click on links in emails or download anything that they’re not expecting.
Many organisations run phishing simulation tests to check that their employees are on the ball in this regard, however if these are not properly thought through, they can create their own problems. You may have read recently about a West Midlands Trains phishing simulation test in which employees were sent an email purporting to be from the company’s managing director, praising them for their work during the pandemic and apparently telling them that the company had decided to pay them a bonus in recognition of their efforts. Those who then clicked on the link to read the whole message discovered that it was a phishing test and there was no bonus. Unsurprisingly this has not gone down well!
Good email filtering systems are very important, such as that offered by Barracuda which include Phishing protection with their Phishline and Sentinel programmes, alongside the myriad of other protection that goes with filtering malicious email from getting anywhere near company systems.
Social engineering attacks involve psychologically manipulating people so that they make security mistakes or give away sensitive information such as passwords. This can be done in a number of different ways.
Baiting involves luring users into a trap such as by leaving a physical object such as a USB stick or external hard drive in a place where a user is likely to find it, in the hope that they will pick it up and insert it into a computer.
Scareware attacks involve sending false alarms and warning emails to users designed to make them think that their system is already infected with some kind of virus or malware with the ultimate aim of persuading them to install software that is in fact the malware itself. This is sometimes also done via popups on websites telling visitors that their computer has been infected.
Pretexting involves approaching a potential victim pretending to be someone trustworthy such as another co-worker, a police officer or a bank official, requesting personal information ostensibly to verify the user’s identity but actually to collect the information needed to access secure systems.
User training is your friend here to educate users on how threats can enter systems and to be aware of their responsibilities in preventing this.
Disgruntled employees, contractors, freelancers and anyone else who has access to your systems can be a potentially significant security risk. When people leave the organisation it’s vital to ensure that their user credentials are deactivated so there’s no chance they can log into anything once they’ve gone and, as I’ve already mentioned it’s really important to ensure that only those people who really need to have access to a system have access to it.
Having said that, it’s also important to make sure that you don’t have any systems that can only be accessed by one person. It’s not uncommon for organisations to inadvertently lose access to something this way – typically things like access to the website backend, social media channels, Google Analytics account and so on often fall into this category. Regaining access after someone has left can be quite the operation – much better to have a failsafe system in place to ensure that the access to key systems doesn’t lie in a single person’s hands.
Everything I have talked about so far involves a ‘virtual’ threat but of course scammers and hackers can also use physical methods to gain access to your systems – there have been cases of scammers simply walking into buildings and helping themselves to computers, mobile phones and other pieces of equipment.
A colleague of mine once worked in a university where an enterprising student arrived in advance of class and installed software onto the lecturer’s PC by way of a USB stick which then enabled them to get access to the lecturer’s files, including all upcoming exam papers. There are also cases of hackers and other malicious actors getting access to sensitive information simply by viewing it on users’ screens. Physical security is just as important as digital and online security.
Researchers from Stanford University estimated recently that 88% of all data breaches are caused by human error. This can be things like poor password hygiene, as I’ve already discussed, but also even easier mistakes to make like emailing information to the wrong person or leaving a laptop on a train.
How we can help
If you’re at all concerned about any aspect of IT security in your organisation, then get in touch with us for a chat. Whether you’re after someone else to cast an eye over your processes or you have specific questions or concerns about a particular element of your setup, we would be happy to help.