One of the most interesting callouts from the 2015 Verizon Data Breach Investigation Report was this:
99.9% of exploited vulnerabilities were compromised more than a year after the common vulnerabilities and exposures (CVE )was published.
Let me help you read between the lines – if you were hacked through an already-known, unpatched weak point, the breach was your fault. You could have prevented it.
Of course, this isn’t uncommon. Many of today’s intrusions could have been prevented simply by creating and following good security protocol. To help us all adopt better behavior, below we share five security best practices to put into place to help prevent future hacks. The first three can be performed by anyone, the last two you can go ahead and forward off to your IT folks.
Keep current with patches. Have we driven this point home enough? I think we have, but I’ll say it again. If you work in an organization where security depends on someone initiating system patches, do not delay in doing so. If you frequently work at home, make an effort to stay up-to-date on patches there, as well. It’s quite literally the least you can do, and doing so can prevent nearly 100 percent of all exploited vulnerabilities.
Use strong passwords. Do you have a company “password?” A single string of characters your organization uses for every company (and client!) email account, site login, and social network, as well as every document or business asset located on your server? It’s probably something like “Company123” or “Organization + Area Code.” Are you realizing right now how silly that is?
Instead of making it easy for someone to steal company information, use strong passwords. Strong passwords utilize the full range of characters represented on your computer keyboard. They are much harder to break not only because they’re difficult to remember, but because they rule out the use of rainbow tables. By creating strong passwords (a different strong password for every account, please), you make it exponentially more difficult for an intruder to gain access.
Use two-factor authentication. Two-factor authentication (sometimes referred to as 2FA) is a security process which adds an extra step to your basic log-in procedure. Instead of gaining access through a single password, two-factor authentication requires the user have two out of three types of credentials before being able to access an account.
The three types are:
- Something you know, such as a password or PIN
- Something you have, such as an ATM card or phone
- Something you are, such as a fingerprint or retina scan
Using two-factor authentication reduces security risks by adding a second step to earn access. With so many organizations utilizing shared computers where a single password opens the system, two-factor authentication is becoming more prominent.
However, even with two-factor authentication, hackers can infiltrate the network by acquiring either the physical components of the log-in, or by gaining access to the cookies or tokens placed on the device (like through phishing or malware). So it’s worth noting that even with this added layer, employee training is still of the utmost importance.
Create a security policy. You have a sick time policy. You have certain HR policies. You may even have a policy to govern company social media use. Does your organization have a security policy? It needs one.
The purpose of your security policy is to govern the steps and procedures the organization takes to protect its business assets and information, while also educating employees on their part in company security. Areas in your security policy may include:
- Password policy (see above note on strong passwords)
- Remote access policy
- Backup policy
- Bring Your Own Device (BYOD) policy
- Recovery procedures
- Internet usage
- How to comply with HIPAA (if you handle health information)
Create a security policy to not only save your behind later, but to help educate your team on what is expected of them and why security is important.
Create training around your security policy. You have the security policy in place, now really drive it home. The most effective thing you can do to avoid being hacked is to educate your team. Equip them with training that reinforces the policy you laid out. Educate them on how to protect company data, the basics of security, phishing & social engineering, and put them face-to-face with real-life examples to see how they navigate situations. Make sure they understand why not to conduct business through the free Wi-Fi at the local McDonald’s, and how to safely do business while traveling. Your staff members are often your first and last lines of defense. Invest in them.
If we understand that most security blunders are preventable, then we are more empowered to put the necessary training, policies, and education in place to actually prevent them. By following the security best practices outlined above, we can all increase the security of our organizations.
Photo: Lone Hacker in Warehouse