Many risk areas have been around since the dawn of computing, such as weak password security or Trojan code in applications. They will always be with us. As new threats are emerging on a weekly or even daily basis, the complete list of vulnerabilities and attack vectors is already extremely long.
The majority can be patched or addressed by system and software vendors, and by aware and savvy security teams in larger companies, but SMEs may struggle to achieve adequate security coverage.
Risks can be internal - e.g. employee negligence, hardware errors, insecure asset disposal - or external, for instance malware, power failure, legal action etc. Here are the main security weak points you should be aware of:
1) Compromised End Points / Remote Working / Bring Your Own Device Policy (BYOD)
Time and again, attacks have been initiated through user end-point devices attached to the network, rather than through the infrastructure itself. This applies equally to in-premise and cloud computing. The IoT represents multiple opportunities through a plethora of devices, the majority of which have never been patched or upgraded since the day they were commissioned. Remote working and a BYOD policy needs special attention and defences lest the user deliberately or inadvertently introduces a hostile application that penetrates sensitive network areas.
2) Staff Training / No Information Or Security Training / Acceptable Use
People quickly forget training and can revert to previous bad habits. It is vital that a continuous program of refresher training is put in place. Social engineering is a real threat to information security and staff need to be made aware of how this can happen. Graphic real life examples are an excellent way of making lessons learned memorable. An acceptable use policy is virtually useless unless the key points are repeated over and over again. Laziness, carelessness and forgetfulness are the risks that mean it may not be implemented.
3) Out Of Date Infrastructure
There are still a large number of XP systems in operation, just to give one example of defunct equipment. Older hardware also presents a security risk when they can no longer be patched or will only run old versions of software. SMEs, especially, may baulk at a continuous replacement program to keep infrastructure current and patchable. However, old systems and software represent a very easy target for hackers.
This threat is on the increase as perpetrators devise even more cunning ways of injecting their malware. The effect is loss of data or at least lack of access to it for a period. The antidote is simple – a rigorously enforced backup policy to a non-networked device such as an external hard drive. Always apply software updates and be very suspicious of email attachments, apps and websites. A strong anti-virus system is a critical line of defence.
5) Constantly Evolving Threats
It seems that the headlines report on a new high profile data leak on an almost weekly basis, if not even more frequently. They are merely the ones that are reported. New hacking techniques are constantly being developed and those responsible for data security have a high priority obligation to keep abreast of relevant technical news and act accordingly.
6) Careless Disposal Of IT Assets
End of life equipment needs to be professionally sanitised before being recycled or returned to the manufacture, if such a program is available. The risk of data falling into the wrong hands is very real and a careless approach is unacceptable practice. Engaging a company such as Absolute IT Asset Disposals Ltd entirely removes the risk and ensures full compliance with relevant legislation.
To find out more, please get in touch with one of our team today.