Computing technologies are constantly changing and extremely complex. Securing IT systems in this environment is challenging, especially for small and midsize businesses. They often do not have the time or resources to keep up with technological changes, the latest security threats, and the best ways to mitigate those threats. As a result, they often slip up when it comes to IT security.
Here are five IT security mistakes that small and midsize businesses often make and how to avoid them:
1. Not Using Anti-Malware Software
With 600 million malicious programs in existence, not having anti-malware software installed on all the computers in a business is extremely risky. Anti-malware software is designed to stop malicious code from running on computers, providing an important line of defense against cyberattacks. While it won’t stop zero-day malware attacks (i.e., attacks involving brand new malicious programs), it will stop previously identified malware. Hackers like to use existing malware because it saves them time. Plus, they already know it’s effective on unprotected machines.
All anti-malware applications are not created equal, though. You should use one that detects different types of malware, including ransomware, spyware, and viruses. You also need to make sure that the anti-malware software is being updated regularly. Computers with missing anti-malware software updates are vulnerable to cyberattacks.
2. Having Bad Password Habits
Employees often have bad password habits, such as using weak passwords like "12345678", "qwertyuiop", and "starwars". Cybercriminals can easily hack weak passwords using brute-force password-cracking tools. Employees also commonly use the same password (or variations of it) for several accounts. Hackers know that people reuse passwords, so once they obtain a password for one account, they will try it for other accounts.
In addition to using weak passwords for employee and service accounts, businesses often use the default passwords that network devices (e.g., routers, appliances) ship with. This is a dangerous practice, as hackers are familiar with these default passwords.
Educating everyone on how to create unique, strong passwords is one way to combat the password problem. However, due to the sheer number of passwords people need to remember, they might resort to their old habits or even start writing down passwords. For this reason, you might consider using a password manager designed for businesses. Another measure you can take is using two-step verification for accounts when possible.
3. Leaving Software and Firmware Unpatched
Security vulnerabilities are often discovered in software and firmware. In response, vendors typically release updates that fix the flaws. If the patches are not installed, cybercriminals can exploit the vulnerabilities to gain access to the software and firmware. Using that access, hackers can install malware or perform other malicious acts.
To avoid this situation, it is important to install all the security patches that have been released for the software and firmware used by your business. This might seem like a tall order, but the consequences of not doing so are too serious to ignore.
Besides installing patches, you need to make sure that all your applications are still supported by their vendors. Like any product, software programs have lifecycles. When an application reaches the end of its lifecycle, the vendor will no longer issue any type of updates for it, including patches that fix newly discovered security vulnerabilities. Many cybercriminals keep track of when vendors stop supporting popular applications. Once the support has ended, they launch new cyberattacks that target those applications.
4. Neglecting to Secure Mobile Devices
Using mobile devices for work has advantages, regardless of whether those devices are company-provided or personal. Employees can access business emails, data, and applications at any time from almost anywhere. The flexibility and convenience often improve employee productivity.
However, mobile devices that are not properly secured can put businesses at risk. In 2016, the number of malware attacks against mobile devices rose sharply, and security researchers expect the number to continue to rise in 2017. Even worse, these devices are increasingly being used as entry points into businesses’ networks. Security experts predict that one in five employees will cause network breaches in 2017. Unknowingly, these employees will either upload malware from their mobile devices to their companies’ networks or expose network credentials when they log in from malicious Wi-Fi hotspots.
To prevent these types of problems, you need to make sure that your business has a comprehensive plan to secure your mobile devices. What it should cover depends on whether your employees use company-provided mobile devices, their own personal devices, or both.
5. Ignoring the Human Element in IT Security
Hackers take advantage of the fact that many companies ignore the human element in IT security. By tricking employees into divulging sensitive data, clicking dangerous links, and opening malicious attachments, cybercriminals can get past security systems and perform malicious acts. Untrained employees and phishing attacks are the top two causes of data leaks in companies, according to a 2016 report on IT security risks.
Your employees, however, do not have to be a weak spot. They can provide a formidable line of defense against cybercrime if you educate them about common security threats and teach them some basic skills, such as how to spot spear phishing emails.
Unfortunately, no amount of training will help combat insider attacks, which account for 7 percent of data leaks in companies. An effective way to address insider threats is to follow the principle of least privilege — that is, limiting employees’ access to the minimal level that will allow them to perform their job duties. Using access control tools is also effective.
The Next Step
Knowing about the common security mistakes made by small and midsize businesses is the first step in avoiding them. The next step is to start taking measures to prevent them. You might have some of them in place already, such as having anti-malware software installed. We can help you with the rest so that your IT systems stay secure.