What some companies consider to be minor gaps in their security controls, training programs, or policies and procedures, are in fact the source of avoidable stress, expenses, and reputational damage. At LMG Security we often see these small gaps lead to security incidents and data breaches that could have been easily avoided – not through expensive security tools or highly sophisticated cybersecurity programs – but by taking basic steps to secure systems and educate employees. In fact, companies often end up spending more time and money responding and remediating incidents than they would have spent addressing the gaps to begin with.
Here are some common security gaps that forensics consultants at LMG have seen lead to security incidents and data breaches, listed roughly in order of frequency:
- Weak passwords for cloud accounts and a lack of 2-Factor Authentication – This is rampant! A huge problem for Office 365 in particular. In one case, a user changed their password during the containment phase of a forensics investigation, only to have the attacker log back in a couple of hours later – the new password was not much different than the original.
- Lack of visibility into account activity due to logging, monitoring, and alerting not set up or not being utilized – Again, this is an issue with Office 365 and other cloud services as well as network compromises. This may mean an attack goes on for several months before it is even detected.
- Ports are left exposed to the Internet, making them vulnerable to a brute-force attack – This is a huge problem with Remote Desktop Protocol (RDP) in particular.
- Insufficient guidelines or policies surrounding cloud storage and security – Staff are dumping huge amounts of unencrypted data in poorly secured cloud accounts (i.e., SharePoint). We have seen hundreds of thousands of PII records stored unencrypted in the cloud.
- Lack of a data retention policy – More data means more risk! We have handled data breaches involving data going back as far as 30 years, which ultimately increased the severity of the breach.
- Employees not sufficiently trained on handling phishing emails – Additionally, email attachments are not being scanned for malware, allowing malicious attachments to get through to users.
- Lack of an acceptable use policy, or staff are not educated on it – This is especially true with regard to mobile devices. One instance involved a user that had a plaintext password list on their smartphone, which was believed to be compromised.
- Antivirus not up-to-date, especially with regard to catching crypto-miners – This will always be a cat-and-mouse game, but crypto-miners seem to be a big gap for a lot of antivirus programs!
As you can see, security incidents often result from simple mistakes made by employees and from technical security weaknesses. Fortunately, you can be proactive by taking steps to minimize your risk of a similar compromise:
- Identify and keep track of your data. You can’t sufficiently protect your data if you don’t know where it’s at! Identify sensitive information and track how it is stored, processed, and transmitted. Define and communicate security requirements for handling this data and implement technical controls to enforce those requirements. Consider whether you’ll allow personal device, cloud storage, or USB drives.
- Maintain cybersecurity policies and procedures, and ensure your employees are educated on them. Cybersecurity policies and procedures can be developed internally or by a third-party, and should be communicated throughout employment. Update policies and procedures regularly to reflect any changes in your business environment or technology. For instance, if your company decides to allow the use of cloud storage, then policies and procedures should address guidelines and security requirements for use of these platforms.
- Provide cybersecurity awareness training to employees. Employees are on the front lines working with the technology and data that your company needs to protect, but unfortunately, they also tend to be the source of compromise. Employees should attend recurring training to support awareness of security best practices and methods for combating trending threats such as phishing emails, password guessing, ransomware, and more.
- Test your security to proactively identify and remediate weaknesses. Ignorance may be bliss, but it will most assuredly lead to a security incident or data breach. Testing might confirm your security controls are robust and effective, or reveal weaknesses you didn’t know existed. Either way, both non-technical and technical testing should be performed to continually assess your security posture and help you stay one step ahead. This may include security controls assessments, penetration tests, vulnerability assessments, and more.
Whether you already have an established security program or are just getting started, don’t forget about the basics of your security infrastructure. Contact LMG Security to help with your policy and procedure development, cybersecurity training, and security testing needs!