Views, News & more
Your organisation's cybersecurity is worse than you think.
If a system has vulnerabilities, ethical hackers say they can typically exfiltrate data inside 5 hours.
According to one survey, 47% of organisations take 2-7 days to apply critical patches. 13% have to wait for quality-assessment of the patch to be completed first. Another 12% deploy critical patches only when they have the time. This means hackers may be able to exploit known vulnerabilities before the related patches have been applied.
A Gartner survey in 2022 found that 74% of employees would ignore cyber security policies if that would help them achieve business objectives. 69% had actually done so in the prior 12 months.
Less than a quarter of firms are fully confident ex-employees no longer have access to company infrastructure. Does your organisation routinely change ALL passwords an employee has access to when they leave?
Bring-your-own-device (BYOD) saves money, but can be a security risk. A survey by BlackCloak found that 87% of executives' personal devices have no security installed. The same survey found that 53% of executives are not using a secure password manager and 54% have poor password hygiene practices.
Even techies who know better can have sufficiently lax personal IT security to cause serious problems for their employers. Surprisingly, Gen Z and Millennial Workers are bigger cybersecurity risks than older employees.
Most firms assume devices connected to their LAN are trustworthy. They're free to access the internet, scan network traffic and contact pretty much any hostname on the same subnet.
It's not just servers, desktops and laptops you need to secure. There are other devices on your network running software that could allow an attacker to maintain access to your network.
You would hope that users wouldn't be stupid enough to pick up a CD/USB stick on the floor near your office and plug it into their logged-on work computer. However, if you haven't disabled autorun, you're relying on hope. In regards to USB media, you probably haven't blocked the ability of staff to copy confidential data to USB media.
You think you know how your network is being used. But if you don't have network monitoring tools in place, there's a good chance your office LAN is being used for more than just the stuff of which you're aware. This can include unauthorised remote-access tools, p2p file-sharing, unauthorised communication apps etc.
For many cloud apps, you're probably still using username and passwords that are seldom changed, often insecure and often shared among multiple users, even though single-sign-on may be an option.
Some employees may be giving out their work email address when setting up non-work accounts and reusing the same password on some work systems. When one account credential leaks, this risks hackers using the email/password combination on other sites in the hope that passwords are reused.
You have data backups, but if you're hit by a ransomware attack, how can you be sure your backups won't have already been compromised? If your backup solution doesn't check your files for malware before backing them up, you have a problem.
You think you've got backups, but have you actually tried to fully restore everything from them? If the answer is no, how can you be sure your backups can be restored in full and in a reasonable timeframe? Even if you can restore your files, what about your databases and your Microsoft 365 data?
Your organisation has confidential data - customer lists, contact lists, financial data, confidential designs, files containing a lot of personal identifiable information (PPI). There's a good chance you are failing to scan your network traffic to limit who can email such data to external parties or upload such data to the web.
You probably have a few self-hosted web applications you assume are safe because only employees know about them.
Unfortunately, they may be discoverable by external hackers - due to hostnames appearing in SSL certificate logs, reverse-DNS entries, search engines stumbling upon the site, or the subdomain being guessable.
This can become a problem if you're not patching such software to keep it up-to-date.
You're assuming you're fairly secure but not getting external ethical hackers to test that assumption.
If you can afford it, penetration testing is a sensible way to hold yourself accountable on security. Pen tests let you know how well or how poorly you're doing, and suggest which high priority issues should be fixed first.
Such servers also need firewalls, OS patching and application patching. Even if you outsource the physical hosting or infrastructure layer, you still remain responsible for aspects of security.
If your apps are for your organisation's customers, suppliers or the general public, that's not a problem. However, if such systems are only supposed to be used by your employees, access ought to be restricted, for example, to your VPN users.
For example, your web server might reveal which version of Apache/IIS/PHP/MySQL you are running. This allows hackers to develop lists of systems that can be attacked once a security vulnerability is discovered that affects that particular version. Search lists are also shared. Search engines such as Shodan.io exist that allow for hosts running particular software to be quickly discovered.
Most professional programmers use software libraries rather than write everything themselves from scratch. This improves security, but means you're vulnerable to bugs in software you didn't realise you were using.
Bug fixes can take a while to make their way downstream to the systems you use. This creates a window of vulnerability.
SaaS apps such as Microsoft 365, Google Workspace or Salesforce have plenty of software integrations. If you allow a free-for-all on use of such integrations, there's a danger that your users will innocently create many a backdoor that could be misused.
EY found that Gen Z staff are more likely than other age cohorts to ignore your IT policies for as long as they can. Gen X are also more likely than baby boomers to use the same passwords on work and personal accounts.
Brute force attempts to crack passwords from leaked hashes are getting faster, due to improvements in hardware.
This provides a potential way for successful attackers to lurk in your network, scanning for vulnerabilities and awaiting malicious instructions.
Network traffic filtering mostly works off blocklists and allowlists. They are vital, but aren't complete.
20% of newly observed domains are malicious according to Akamai, i.e. blocklists are helpful but aren't enough to fully protect you from harmful sites and emails.
MFA is good, but not foolproof. Attackers can conduct phishing attacks which attempt to trick users into using a malicious proxy.
Hackers can bombard the service with login attempts so that the user is overwhelmed with login approval requests. This results in 'MFA fatigue,' where users, sick of their phone continually bleeping and interrupting them, approve a login attempt to try to make the problem go away.
Some MFA implementations rely on SMS messages, even though these are not secure, due to the overly-trusting nature of SS7 and mobile phone network operators routinely allowing fraudulent 'SIM swapping.'
There's a good chance you wouldn't spot if someone tried to use one of your privileged accounts to do things they weren't supposed to. Timely oversight of such accounts is often lacking.
Your organisation's data should always be encrypted at rest. In practice, that may not be happening, for example because the Windows 10 or 11 PCs you use at work don't have BitLocker disk encryption enabled. Even if that encryption is enabled on employer-issued devices, it may not be in place on employee-owned devices used to access company resources. There's also a chance your backups aren't being encrypted.
Cyber-insurance is issued on the proviso that your answers about your IT security practices are accurate. If it later transpires, post hack, that you weren't doing what you claimed to be doing, your claim might be refused, leaving you to pick up the bill of fixing any attack.
Even the biggest companies do not have perfect cybersecurity.
Your organisation doesn't have to be perfect. It just has to have a sufficiently high level of cybersecurity that hackers will pick on someone else, or fail to turn an initial compromise of one of your systems into something bigger.
Here are 30 cybersecurity measures you can take to reduce your likelihood of becoming a victim of a cyber attack.
To find out more about hSo's services for UK-based organisations, call 020 7847 4510 or fill in the form below.