Why Your Cybersecurity is Worse Than You Think

Your organisation's cybersecurity is worse than you think.

Your Patching is Too Slow

If a system has vulnerabilities, ethical hackers say they can typically exfiltrate data inside 5 hours.

According to one survey, 47% of organisations take 2-7 days to apply critical patches. 13% have to wait for quality-assessment of the patch to be completed first. Another 12% deploy critical patches only when they have the time. This means hackers may be able to exploit known vulnerabilities before the related patches have been applied.

A Majority of Your Users Are Willing to Flout Your Cybersecurity Policies

A Gartner survey in 2022 found that 74% of employees would ignore cyber security policies if that would help them achieve business objectives. 69% had actually done so in the prior 12 months.

Ex-Employees Can Still Access Some of Your IT Resources

Less than a quarter of firms are fully confident ex-employees no longer have access to company infrastructure. Does your organisation routinely change ALL passwords an employee has access to when they leave?

Employees' Personal Device Security Practices Are Generally Woeful

Bring-your-own-device (BYOD) saves money, but can be a security risk. A survey by BlackCloak found that 87% of executives' personal devices have no security installed. The same survey found that 53% of executives are not using a secure password manager and 54% have poor password hygiene practices.

Even techies who know better can have sufficiently lax personal IT security to cause serious problems for their employers. Surprisingly, Gen Z and Millennial Workers are bigger cybersecurity risks than older employees.

Devices Connected to Your Office LAN Are Overly Trusted

Most firms assume devices connected to their LAN are trustworthy. They're free to access the internet, scan network traffic and contact pretty much any hostname on the same subnet.

No-One is Patching Your Printers, Phones and Print Queue Servers

It's not just servers, desktops and laptops you need to secure. There are other devices on your network running software that could allow an attacker to maintain access to your network.

Autorun Isn't Blocked. Copying to USB Media is Still Allowed

You would hope that users wouldn't be stupid enough to pick up a CD/USB stick on the floor near your office and plug it into their logged-on work computer. However, if you haven't disabled autorun, you're relying on hope. In regards to USB media, you probably haven't blocked the ability of staff to copy confidential data to USB media.

You're Not Scanning Your Network for Signs of Unauthorised Shadow IT

You think you know how your network is being used. But if you don't have network monitoring tools in place, there's a good chance your office LAN is being used for more than just the stuff of which you're aware. This can include unauthorised remote-access tools, p2p file-sharing, unauthorised communication apps etc.

You're only using Multi-Factor Authentication (MFA) and Single-Sign On (SSO) for a Minority of Applications

For many cloud apps, you're probably still using username and passwords that are seldom changed, often insecure and often shared among multiple users, even though single-sign-on may be an option.

You're Not Scanning the Dark Web for Breaches Associated with Your Employees' Work Email Addresses

Some employees may be giving out their work email address when setting up non-work accounts and reusing the same password on some work systems. When one account credential leaks, this risks hackers using the email/password combination on other sites in the hope that passwords are reused.

Your Backups Aren't Scanned for Signs of Malware Infection

You have data backups, but if you're hit by a ransomware attack, how can you be sure your backups won't have already been compromised? If your backup solution doesn't check your files for malware before backing them up, you have a problem.

You Don't Run Full System Restoration Tests

You think you've got backups, but have you actually tried to fully restore everything from them? If the answer is no, how can you be sure your backups can be restored in full and in a reasonable timeframe? Even if you can restore your files, what about your databases and your Microsoft 365 data?

Your Web Traffic Isn't Scanned for Signs of Confidential Data Leakage

Your organisation has confidential data - customer lists, contact lists, financial data, confidential designs, files containing a lot of personal identifiable information (PPI). There's a good chance you are failing to scan your network traffic to limit who can email such data to external parties or upload such data to the web.

You're Relying on Security By Obscurity

You probably have a few self-hosted web applications you assume are safe because only employees know about them.

Unfortunately, they may be discoverable by external hackers - due to hostnames appearing in SSL certificate logs, reverse-DNS entries, search engines stumbling upon the site, or the subdomain being guessable.

This can become a problem if you're not patching such software to keep it up-to-date.

You're Not Running Penetration Tests

You're assuming you're fairly secure but not getting external ethical hackers to test that assumption.

If you can afford it, penetration testing is a sensible way to hold yourself accountable on security. Pen tests let you know how well or how poorly you're doing, and suggest which high priority issues should be fixed first.

You May Not Be Keeping Your Hosted Servers Safe

Such servers also need firewalls, OS patching and application patching. Even if you outsource the physical hosting or infrastructure layer, you still remain responsible for aspects of security.

Your Self-Hosted Web Apps May Be Visible to General Internet Users, Not Just Your LAN/WAN/VPN Users

If your apps are for your organisation's customers, suppliers or the general public, that's not a problem. However, if such systems are only supposed to be used by your employees, access ought to be restricted, for example, to your VPN users.

Your Apps Reveal Version Info Unnecessarily

For example, your web server might reveal which version of Apache/IIS/PHP/MySQL you are running. This allows hackers to develop lists of systems that can be attacked once a security vulnerability is discovered that affects that particular version. Search lists are also shared. Search engines such as Shodan.io exist that allow for hosts running particular software to be quickly discovered.

Some of Your Apps Depend On Insecure Software

Most professional programmers use software libraries rather than write everything themselves from scratch. This improves security, but means you're vulnerable to bugs in software you didn't realise you were using.

Bug fixes can take a while to make their way downstream to the systems you use. This creates a window of vulnerability.

SaaS App Integrations Could Allow Data Leakage, Third Party Control of Individual User Accounts

SaaS apps such as Microsoft 365, Google Workspace or Salesforce have plenty of software integrations. If you allow a free-for-all on use of such integrations, there's a danger that your users will innocently create many a backdoor that could be misused.

You Employ Generation Z Staff Who Ignore IT Policy

EY found that Gen Z staff are more likely than other age cohorts to ignore your IT policies for as long as they can. Gen X are also more likely than baby boomers to use the same passwords on work and personal accounts.

Some of Your Employees' Passwords Aren't Long Enough

Brute force attempts to crack passwords from leaked hashes are getting faster, due to improvements in hardware.

Patching of IoT Devices (Printers, Phones, CCTV, Entry Systems etc) is Patchy

This provides a potential way for successful attackers to lurk in your network, scanning for vulnerabilities and awaiting malicious instructions.

Blocklists Miss Threats from New Domains and Changes to Old Domains

Network traffic filtering mostly works off blocklists and allowlists. They are vital, but aren't complete.

20% of newly observed domains are malicious according to Akamai, i.e. blocklists are helpful but aren't enough to fully protect you from harmful sites and emails.

Multi-Factor Authentication Can Be Beaten

MFA is good, but not foolproof. Attackers can conduct phishing attacks which attempt to trick users into using a malicious proxy.

Hackers can bombard the service with login attempts so that the user is overwhelmed with login approval requests. This results in 'MFA fatigue,' where users, sick of their phone continually bleeping and interrupting them, approve a login attempt to try to make the problem go away.

Some MFA implementations rely on SMS messages, even though these are not secure, due to the overly-trusting nature of SS7 and mobile phone network operators routinely allowing fraudulent 'SIM swapping.'

No Detailed Audit Trail of Privileged Account Use

There's a good chance you wouldn't spot if someone tried to use one of your privileged accounts to do things they weren't supposed to. Timely oversight of such accounts is often lacking.

You're Not Using Disk Encryption Enough

Your organisation's data should always be encrypted at rest. In practice, that may not be happening, for example because the Windows 10 or 11 PCs you use at work don't have BitLocker disk encryption enabled. Even if that encryption is enabled on employer-issued devices, it may not be in place on employee-owned devices used to access company resources. There's also a chance your backups aren't being encrypted.

Cyberinsurers May Refuse To Pay Out Given Poor Cybersecurity Policy Compliance

Cyber-insurance is issued on the proviso that your answers about your IT security practices are accurate. If it later transpires, post hack, that you weren't doing what you claimed to be doing, your claim might be refused, leaving you to pick up the bill of fixing any attack.

Don't Get Discouraged

Even the biggest companies do not have perfect cybersecurity.

Your organisation doesn't have to be perfect. It just has to have a sufficiently high level of cybersecurity that hackers will pick on someone else, or fail to turn an initial compromise of one of your systems into something bigger.

Take a Multi-Layered Approach To Security

Here are 30 cybersecurity measures you can take to reduce your likelihood of becoming a victim of a cyber attack.

hSo Can Help Your Organisation Improve its IT Security

• Business VPNs - Our Virtual Private Network (VPN) can help you lock down remote access to only authorised users, encrypting their traffic. The VPNs can be integrated with popular Identity and Access Management systems, so users lose VPN access as soon as their primary user account has been blocked or deleted.
• Data Backup - Our automated cloud backup service can ensure you have multiple generations of your important files, VM images and databases. There is an immutability option, so you can get the benefits of air-gapped backups, without the delays in data restoration such air-gaps can involve.
• Zero Trust Network Access - Our ZTNA service can help you lock down access to your network in a granular way, using a proxy to mediate network access requests. This can add an additional barrier to stop misuse of leaked/stolen username/password credentials.
• Managed Cloud Hosting - This service takes care of patching your guest OS and the underlying virtualisation layer and hardware.
• Managed Firewalls - These help protect your network from unwanted external probing. They can also block outbound traffic you don't want.
• Unified Threat Management - UTM uses deep packet inspection to keep tabs on how your network is really being used. It can neutralise many threats and allow you to kill unwanted network traffic streams that present a security threat.
• Disaster Recovery as a Service - This allows you to bounce back from an attack quicker, with a cloud-based clone of your server estate kept on ice, ready to be reanimated should you lose your primary hosting platform.
• Microsoft 365 - As a Microsoft partner, we're able to provide licences for Microsoft 365. This doesn't just provide the Microsoft Office apps but also Azure AD with multi-factor authentication to help protect user accounts. Some product tiers also include Microsoft Intune, Microsoft's Mobile Device Management solution. Both services can support your effort to boost security.

 

To find out more about hSo's services for UK-based organisations, call 020 7847 4510 or fill in the form below.