Studies show that more than half of all data breaches are directly attributable to employee behavior. In some cases, the breach is the result of sabotage, when a disgruntled employee does something to expose sensitive information outside of the organization. Other times, the breach occurs because of an innocent mistake, such as when an employee falls victim to a sophisticated spear phishing attack.
In the case of accidental breaches, most people assume that the culprit is an average employee, someone who knows the basics of how to use their computers, but isn’t well versed in all of the technical “stuff” required to manage and secure a network. Most people would never even think that the IT security team might do something that leads to a breach — they are the ones who are supposed to be protecting the network, after all!
Well, the truth is that IT security pros are still human and they make mistakes too. Sometimes those mistakes lead to serious data leaks. In some cases, these mistakes are just the result of being careless. In others, they are due to misinformation or misconceptions. Either way, they are avoidable.
Mistake #1: Using Real Data for Tests
Testing is a vital part of any security strategy. You want to make sure that everything works. However, when designing your tests, you never want to use real data or files. Because using real data subsets has been a standard practice for years — and test systems are rarely as well protected as the real systems — hackers have learned to exploit tests to steal data. Given how much is at stake, you should always create fake data to use in tests, or at the very least, use the same password protocols and restrict application access as you would with your real network.
Mistake #2: Using a Corporate Password Outside of Work
Everyone agrees: It’s a nuisance to remember all of the passwords we use every day. However, using the same password for corporate accounts — especially those with high value, such as the server that contains encryption keys — and personal accounts is a recipe for disaster. Should someone gain access to your personal accounts, and learn where you work, they could use your login information to access your corporate accounts undetected. Using multi-factor authentication (MFA) for corporate log-ins helps lower this risk, but it’s still important to maintain a healthy separation between corporate and personal passwords.
Mistake #3: Not Configuring Firewalls Correctly
By default, most firewalls come with very strict permissions, and deny most traffic. This sounds like a great idea — until an application doesn’t work the way that it should. In many cases, administrators then reduce the restrictions to allow all traffic through as means to fix the problem.
If this is a short term situation, no problem. When it becomes permanent, then it becomes an issue. In short, administrators should never open the firewall to allow all traffic. Hackers look for these openings, and when they find them, they wreak havoc.
Mistake #4: Not Properly Disposing of Old Equipment
It’s inevitable that you will have to purchase new equipment at some point — nothing lasts forever. But what do you do with the old stuff? If you trade it in, sell it, or even just recycle it, do you completely wipe it and restore it to factory condition before doing so? Failing to remove all of the data on equipment that’s being retired leaves you vulnerable to a breach. All it takes is for an old server containing sensitive information to fall into the wrong hands.
Mistake #5: Not Paying Attention to Public Entry Points
Back in 2007, a major retailer was hacked in what was then one of the largest data breaches in history. Investigators discovered that the source of the breach was actually not a direct attack on the corporate servers, but in fact originated from inside the stores themselves, at self-service employment kiosks. Most of the retailer’s locations had a computer, connected to the main servers that anyone could use to apply for a job. These computers were largely ignored by in-store staff, making it easy for hackers to visit under the guise of applying for a job and install malware that then opened the door to the company’s network.
The lesson here is that if you have public entry points to your network you need to protect them with the same level of security as you would an employee device. Public access points should never be directly linked to your main servers, and all traffic should be encrypted and secured. They should also be closely monitored for suspicious behavior.
Hackers are becoming more sophisticated all the time, but if you make these mistakes, even an inexperienced hacker can hit pay dirt in your servers. Don’t make their jobs easier.