Otto background

5 Common IT Security Mistakes That Put Your Company at Risk

When it comes to modern business, a successful cyberattack can cost you much more than money. A breach in security can mean downtime, discontinuation of business operations, a loss of customer trust through reputational harm, low ratings, stolen data and fines related to compliance.

From proprietary information to customer data, a lot of the digital information stored in the networks and systems of today’s organizations is just one mistake away from being leveraged for nefarious purposes. While companies and organizations invest an increasing amount of money into cybersecurity defenses to protect against targeted attacks and widespread malware outbreaks, there’s one vulnerability that will never be solved — human error.

From end users in any department at your organization to your IT manager, today, everyone makes security mistakes that have the potential to put data at risk. To conclude this two-part series, we’ll take a look at the common mistakes IT managers make. (Part one of the series can be found here.)

1) Thinking An Attack Won’t Happen to You

Just because you’re not in an industry that serves as a juicy target for hackers and bad actors seeking to cause harm, doesn’t mean you’re not at risk. Every organization is susceptible to cyber threats, and getting breached has become a matter of when, not if. As a result, IT managers cannot afford to think that they won’t be attacked.

IT managers need to plan for attacks to happen. With a plan in place, IT managers can begin to notice flaws and weaknesses in their security infrastructure so that they don’t overrate their own security. In the event of an attack, an effective plan can protect technology and data security before any more serious problems arise. If you think you’re not at risk, you’re not taking cybersecurity seriously enough.

2) Being Unaware of Assets

As organizations embrace more types of devices and hardware, effective security becomes more of a challenge and difficult to manage as technology architectures grow increasingly complex. This proliferation of security tools has created an environment so complicated that no organization could possibly afford the array of tools, people and other resources necessary to protect itself against everything.

Consequently, numerous organizations suffer from myriad vulnerabilities that have the potential to enable exploitation. Compounding the issue, when companies are unaware of all of their IT and data assets, there’s no way to assess all of the vulnerabilities. As such, IT managers need to ensure assets are protected from illicit access, use, disclosure, alteration, destruction and/or theft that results in losses to the organization.

3) Not Enforcing Security Policies

Unfortunately, even the best-designed security plans are useless if IT managers fail to rigorously enforce them. If IT managers fail to ensure systems enforce policies, then those policies are essentially useless. While easy enough to write, enforcement is another issue entirely.

As an IT manager, policies not only frame your work, they lay out the resources needed to get the job done. Policies need to identify and communicate risk, detail what is expected of accountable parties, develop processes to monitor conformance with policy and prepare response capabilities for when the stuff hits the fan. They set expectations and assign accountability. As such, the enforcement of security policies should be directly connected to the consequences of inaction.

4) Failing to Consider Staff

As previously mentioned, one vulnerability that will never be solved is human error, and the greatest threat to your security is your staff. Cybersecurity is not just a technology problem, it’s an operational and cultural problem as well. Regardless of your endpoint protections and the size of your firewall, employees operate internally, and they are likely the weakest link in your security.

Though it may not seem necessary to train every employee about avoiding cyber threats like phishing scams and unsecured links, it could save your company quite a bit in the long run. Employees need to be trained (and sometimes retrained) on how to use secure protocols, what to consider before they click, how to guard against stolen devices and how to take action in the event of an attack.

While end users negligence or mistakes can lead to breaches, sometimes insiders simply steal data themselves. If not properly monitored, disgruntled employees and others can cause enormous security problems through stolen data. Whether for financial gain, career development or just to cause deliberate damage, there are myriad reasons why employees take a risk and steal from their employers. The best way to protect against insider threats is to only offer users access to the data they need to do their specific jobs.

5) Updating Slowly or Not Updating At All

Despite warnings and massive international cyberattacks, too many organizations still aren’t applying security patches in a timely fashion. In fact, a recent report titled “A Growing Risk Ignored: Critical Updates” found that over 2,000 organizations run more than 50 percent of their computers on outdated versions of an operating system, making them almost three times as likely to experience a publicly disclosed breach.

Even when updates have been available for months, even years, some organizations are still failing to take basic cybersecurity precautions by not applying critical patches. Failure to update creates a window of opportunity for hackers and bad actors to exploit.

For example, by using a leaked NSA exploit for a vulnerability in Windows’ Server Message Block (SMB) v1 networking protocol, the WannaCry ransomware attack infected more than 300,000 computers around the globe in May 2017. Microsoft released a patch for the vulnerability two months before the attack and after the outbreak, they also released an emergency patch to protect out-of-support systems. Unfortunately, despite WannaCry’s impact, it appeared that many organizations didn’t bother to apply the correct patches because Petya used the same exploit to spread itself across infected networks just one month later.

As WannaCry and Petya illustrate, many cybercriminals aren’t breaking into systems using sophisticated new attacks, they are exploiting already discovered vulnerabilities. Consequently, if security patches are released, then they need to be applied. Due to insecure programming practices, many common vulnerabilities are easy to find and reasonably simple for hackers to take advantage of. Consequently, every organization, regardless of industry, should apply security updates for their operating systems and critical applications as soon as possible following their release.

Enter Automox. Our easy-to-install, cloud-based, automated patching solution allows IT managers and other security professionals to control their level of patch management automation, flow processes and configuration enforcement — all from a single dashboard. Best of all, the lightweight platform can patch any system and any software in any location.

About Automox IT Operations

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.