IT departments have a lot on their plates, including many big projects such as virtualization or a move to cloud computing. But unfortunately, focusing on complex issues can sometimes make IT pros forget about simple steps to keep data secure.
And those simple security errors can lead to expensive data breaches and other complex problems.
Here are the 10 most common security errors companies still make, based on recent surveys and news about data breaches:
1. Trusting vendors’ security
With companies increasing their investments in cloud computing and IT outsourcing, more sensitive data is being handled by third-party vendors. Yet even now, less than half of small businesses verify cloud computing vendors’ security, and 63% of all organizations admit they don’t know what cloud vendors do to protect customers’ data, according to recent surveys.
2. Keeping default passwords
While IT pros often complain about users’ bad security practices, IT departments aren’t immune from making password mistakes, either. One of the most common security errors is keeping the default password for applications, servers and other IT equipment. A recent data breach of nearly 800,000 records occurred after the Utah Department of Technology Services failed to change the default password protecting a server containing information about Medicaid recipients.
3. Leaving old vulnerabilities unpatched
IT spends a lot of time figuring out how to defend against hackers’ new and cutting edge techniques, but criminals also have a lot of success with attacks that have been around for years. One example is the Conficker worm, which Microsoft issued a patch for in 2008 but still finds a way onto corporate networks and attacked an estimated 1.7 million computers in the fourth quarter of 2011 alone.
4. Forgetting to patch all devices
When companies do apply patches, they often focus on applications and operating systems running on servers and desktop PCs. But there are plenty of other devices that have software that must be patched, including printers and copiers, routers, and anything else that connects to the network. Forgetting those patches is one of the most common security errors and could allow hackers to find a backdoor to access sensitive data.
5. Letting users leave with unencrypted data
Several data breaches have occurred because computers, mobile gadgets or storage devices holding unencrypted data were stolen when an employee took them out of the office. For example, Tricare Management Activity and the U.S. Department of Defense suffered a data breach last year costing millions of dollars because a set of unencrypted backup tapes were stolen from an employees’ car. While preventing users from taking sensitive data with them is becoming more difficult, IT at least needs to give them secure methods for doing so.
6. Giving users access to more data than they need
In addition to outside hackers, IT also needs to protect against insider threats, including users who steal data to sell to criminals or cause damage because they’re disgruntled. One way to minimize those risks is to make sure users can access only what they need to do their jobs. However, just 36% of organizations said they restrict access to data on a need-to-know basis, according to a recent study, and many others fail to review those access privileges regularly.
7. Failing to remove access for ex-employees
Another common insider threat is a disgruntled former employee who takes revenge by sabotaging the company’s IT systems. However, one of the security errors many companies make is failing to remove access privileges as soon as an employee leaves. That’s what happened last year when an IT pro laid off by a pharmaceutical company was still able to log in to 15 virtual servers and delete their contents, causing $800,000 worth of damage.
8. Forgetting physical security
Naturally, IT pros focus mostly on securing data from network intrusion and other cyberattacks. But a lot of sensitive data can be stolen by taking the physical equipment that it’s held on. For example, several healthcare providers have recently been the victims of laptop thefts that have put medical information at risk. IT departments should invest in door locks, cameras, cable locks for laptops and other physical security controls, and train users to keep mobile devices secure.
9. Assuming policies will be followed
Security policies are great, but technical controls are also necessary. IT departments have a hard time making many groups follow those rules — for example, 70% of users under 30 flat-out ignore IT security policies, and more than half of IT pros say executives believe security rules don’t apply to them.
10. Trusting security software
Likewise, companies can’t put all their faith in technical controls, either. While they provide some level of protection, no security tools are completely fool-proof. For example, antivirus applications, on average, detect just 19% of malware on the first day it’s discovered — and even after 30 days the number rises just to 61%, according to one study. That’s why experts recommend a combination of user awareness and security tools.