Top 10 Security Mistakes a Company Can Make

October 10, 2012

We all received the apologetic email when Zappos.com customer’s credit card information was hacked. (All of a sudden those boots you got for 50% off could have ended up costing a lot more than expected!) And again, another apology note when 6.5 million LinkedIn users’ encrypted passwords were leaked on a Russian hacker forum in June. The stories of corporations who’s IT security was compromised are unfortunately a dime a dozen. But by working with trusted companies such as OST who focus specifically on security is one simple step towards protecting your organization from a catastrophic breach. We have put together a basic list below of the top 10 security mistakes that a company can make. These common mistakes seem like a small slap on the wrist to some, but for those of us in the technology industry, the smallest insecurities can lead to the largest problems.

The 10 mistakes we chose were rated by analyzing the highest volume of protected data access, ability to cause the greatest “harm” to the organization, ease of which the mistake can be taken advantage of, ability to use that mistake to breach the entire organization, and the consistency of the mistake. With this in mind, let’s take a look at this list, shall we?

1. Reliance on Vendor or Installer to keep you secure. Just because they set up a network for you, doesn’t mean they locked the door on the way out. Certain IT firms may not feel it practical or necessary to consider security when setting up a network. I have seen many organizations who once thought their networks were built tough from the get-go because they hired the “best” IT Company to set it up. This false sense of security can most assuredly lead to a breach, and affects the industries of Healthcare, Financial and Retail.
2. Weak or Trivial Passwords. I hate to be the billionth person to say this, but “drowssap” or its less secure friend, “password,” have never cut it, and will never cut it as secure passwords. I won’t spend much time going into other insecure passwords, you can see a great guide here, but the fact that trivial passwords are still being used is almost comical – until all of your company information is stolen. Half of the organizations I have worked with have had at least one account that is left blank or “password,” and this issue most affects healthcare organizations and small businesses.
3. Consistent Passwords. Your fine-tuned 8 character, lowercase, Twitter password would take just a few days computing time to be cracked by a brute force attack. So what? It’s Twitter. But what if you used that same password for your corporate mail server? How long would it take to crack that? About 2 seconds. If you used the same password for your social media, email, webmail, phone and everything else, those passwords have already been broken and can be used to gain access to the entire company’s network.
4. Missing Security Updates/ Patches. Hackers are always looking to stay ahead of the curve. Whenever they invent some new way of breaking into a computer, the security programs will find a way to defend against it, and send out an update to their users. These updates must be installed immediately and correctly to ensure your network is up to date on all the latest exploits.  What’s more: these threats are universal they affect all operating systems, in all industries at all different threat levels.
5. Scanned documents on “Multi-function devices.”  Those balance sheets you scanned on your Multi-function device (That printer in the copy room) are still sitting in that machines’ memory, and hackers know it. Finding and instantly deleting files that contain protected data is one way to avoid these leasing concerns, or keeping the files to send to other machines. This exploit also affects all organizations, and has a special taste for financial documents.
6. Not changing default login credentials. All new wireless devices come with an admin username “Admin” and an admin password “Password”. These credentials are publicly known, (See what we mean?) and if a hacker can get into your network, he or she can change these credentials to lock you out, and your data in. Ensuring your IT department has changed the default logins on all of your wireless devices is one more hurdle for hackers to jump to gain access to your data.
7. Open Network Shares. This mistake is usually user based. Employees sometimes take computers home, and want to share media with other computers or devices. This is fine if there weren’t also financial and protected information. This exploit not only provides access to data, but an easy way for them to distribute viruses and malware to the entire network.
8. Not planning for lost, stolen, discarded or sold computers. These computers all have access to your organizations network, and sometimes these computers are lost, stolen, discarded or sold. Work out a plan to recover data or prohibit that machine from re-accessing the network before they are lost, to ensure maximum security. These simple means are rarely addressed, and for the greatest threat to loss of “consumer information.” All industries are affected by this.
9. Improperly configured Wi-Fi or improper use of Wi-Fi. What was secure a year ago has a greater risk today, because of the pace at which these methods advance. Open Wi-Fi, or unsecured Wi-Fi, can be a large threat to an organization, and can offer a “hidden” way to gain access to the organization. New techniques outline ways for hackers to piggyback their internet activities through your network, so you get blamed for their seedy downloads and web history.
10. Antivirus not installed or out-of-date. This issue is likely the most costly of them all. A computer without antivirus is like rolling out the red carpet for hackers, just pleading them to come on in. All industries are affected by this, and a simple install of antivirus or updates can clear this problem.

If you find yourself with questions around your organization’s security, don’t hesitate to call us.

Listen to this information on WGVU’s “Tech Talk” with Shelley Irwin, broadcast Thursday, October 11.

—–