"Hackers only need to be lucky once. You need to be lucky every time."

- John Opdenakker

We level up our security systems, hoping to create enough locked doors that cybercriminals move along - not unlike crime-proofing our homes. We put all the right processes in place, buy and maintain all the software to monitor and prevent attacks, build our Written Information Security Programs (WHISPs), and train our people. Yet, we still may miss some obvious openings. This is why, on a regular basis, it’s essential to revisit and reevaluate how the plan is going.

There are three zones of vulnerability - where your holes live - people, processes and technology.

Let’s put some of the weaknesses into those zones. Of course, they overlap since people problems are often the biggest holes in the processes and technology buckets.

People

People are not limited to your team. Clients may very well be a vulnerability, too, as we share data and documents heavily with them. It’s always best to do a little look-see at yourself, too…

Phishing Vulnerability

• Lack of Training: People not trained to recognize phishing emails may unknowingly open malicious attachments or click bad links

• No Email Filtering: Phishing attempts might more easily reach users’ inboxes without a proper email filtering system

Shadow IT

• Unapproved Software/Apps: People - particularly employees - using unauthorized cloud services or applications could expose sensitive business data

Social Engineering Exposure

• Lack of Training: If folks aren’t trained to recognize when they may be manipulated into divulging user access information and sensitive data, they could be hacked

• Lack of processes: Without oversight, a proper chain of command, least privilege access, and even something as simple as a company passphrase, your team is being set up to be socially engineered

Weak Passwords and Authentication

• Weak Passwords: Employees using simple or reused passwords is a significant risk

• Lack of Multi-Factor Authentication (MFA): Without MFA, access to systems is less secure

Processes

BYOD (Bring Your Own Device) Policies

• Uncontrolled Personal Devices: If employees use personal devices for work without security controls, the risk of breaches increases

• No Device Encryption: Business data on personal devices should be encrypted

Inadequate Backup and Recovery

• No Regular Backups: If the business doesn’t have automated backups in place, it risks significant data loss in the event of an attack or disaster

• No Off-site Backups: Storing backups only on-site increases the risk of losing all data in the event of fire, flood, or theft

Lack of Unattended Device Practices

• No Unattended Computer Process and Policy: The most secure device is one that is off

Lack of device passwords/PINs

• Not Having Every Device With Unique Opening Codes

Weak Access Control

• Excessive Permissions: Employees may have more access than necessary, increasing the risk of internal threats

• No Role-based Access Controls (RBAC): Without RBAC, it's difficult to restrict access based on an employee’s role

Technology

 Lack of Data Encryption

• Unencrypted Data: Sensitive data at rest or in transit should always be encrypted. If not, it's vulnerable to theft or interception

Poor Network Security

• Open or Unsecured Wi-Fi: If Wi-Fi isn’t secured with strong encryption (WPA3, for example), outsiders could gain access

• Default Router Credentials: Businesses may forget to change the default usernames and passwords on their network devices

 Poor Vendor Security

• Third-Party Access: If vendors or partners have access to systems and their security isn’t vetted, they could become a weak point

Unpatched Software

• Outdated Software/Systems: Failure to update software, operating systems, and applications can leave the business vulnerable to exploits

• End-of-life systems: Unsupported operating systems or software with no security patches available

Weak or Non-existent Firewalls

• No Firewalls or Improper Configuration: A misconfigured or unused firewall leaves the business network vulnerable to external attacks

• No Intrusion Detection/Prevention System (IDS/IPS): Without these, suspicious traffic cannot be actively monitored

It is good practice to regularly review your people, policies, and technology for security holes.

• Holding regular security sessions with your stakeholders

• Review your technology partners’ policies

• Revisit your WHISP

• Run simulations: what would happen if your team’s phone or laptop was stolen or lost?

• Stress-test your protocols and systems by running “what if” scenarios around scenarios such as phishing attempts and social engineering hacks

No system is perfect; open lawns will often surround closed gates. But do the best that you can do and continuously work at fencing in your yard.

15% off discount code: BLOG

Simply yours, Kellie :-}

::Shameless Call To Action::

I sell bookkeeping templates, standard operating process handbooks and client guides.

15% off discount code: BLOG