Businesses are leaving a lot of information open to cyber attackers. And that’s leading to IT security incidents with some serious financial consequences.
One key lesson from a recent Ponemon Institute study: All organizations are vulnerable to IT security attacks. The survey involved 471 organizations that had suffered at least one data breach in the past two years. Those respondents were organizations in all major industries, and the study included companies of many different sizes.
Another key finding: Many businesses fail to take some of the most important steps to prevent cyber attacks. That’s the case even for businesses that have been stung by breaches before — 52% of the organizations surveyed suffered at least two breaches in the past two years.
That’s despite the fact that data breaches cause very serious and significant problems for business. Beyond the IT costs involved in finding and repairing the source of the breach, businesses suffer other effects. For example, 76% of the survey respondents said they have or are likely to lose customers or business partners because of a breach.
In addition, 75% cite negative public opinion and media reports, while 66% said there were serious, direct financial consequences after their data breach.
What can companies do to prevent and alleviate those incidents? These are some of the common mistakes businesses are making, according to Ponenom’s report:
1. Letting employees bring any mobile device they want
As more organizations adopt BYOD programs, employees’ personal devices are starting to present a significant risk to company data. One step many experts recommend to reduce the risk is to write a BYOD policy listing what security features must be present in order for a device to be used, and then verify that those options are activated.
However, many companies aren’t doing that, according to the Ponemon survey. While 78% of the organizations surveyed allow personal devices at work, 61% said they don’t require those devices to be tested to make sure their security is up to par.
2. Giving employees access to too much data
Many IT security incidents are caused by the company’s end users — either because malicious insiders intentionally steal data, or because they accidentally install malware, fall for phishing scams or otherwise let external attackers on to the network.
That’s why it’s important for IT to limit the access employees have to only the information and systems they need for their jobs. However, just 44% of the survey respondents said their organization is effective at doing so.
3. Not offering security awareness training
Likewise, helping employees recognize and avoid those attacks is one way to prevent a large chunk of the cyber attacks that target organizations.
However, more than half (52%) of organizations they don’t have a security awareness training program for employees who have access to sensitive information.
4. Putting too much faith in third parties
Especially as cloud computing becomes more common, companies are putting a lot of sensitive data in the hands of third-party providers. That can cause big problems if an organization’s data is stolen because of a breach at a third party.
Unfortunately, many organizations don’t do enough to make sure they only hand over information to businesses that will keep it secure. Just 54% of survey respondents said they thoroughly vet third parties before doing business with them.
5. Failing to encrypt devices
There are several technical controls companies can take advantage of to help prevent data from falling into the wrong hands. One of the most important tools is encryption, especially as more information is being carried outside of the office on portable computing devices.
But encryption isn’t commonly deployed, according to the Ponemon report. Among the organizations studied, 46% said they don’t encrypt devices, and another 22% of respondents weren’t sure.
6. Using unsecured applications
Many attacks involve exploiting vulnerabilities contained in the software a business is running, which is why it’s important for companies to make sure all their applications are secured and patched.
But only 35% of organizations regularly test the security of their applications.
7. Failing to respond properly when breaches happen
As IT professionals know, preventing all cyber security attacks is impossible. However, planning ahead of time and getting ready to respond when incidents do occur can help companies reduce many of the costs of a data breach, including lost customers, damaged reputations and legal fees.
The good news: The majority of organizations do have a data breach response plan in place, along with a dedicate team to handle the process.
However, the survey also found several other additional steps companies could be taking. For example:
- Only 30% say their organization trains customer service employees on how to respond to questions about a data breach
- Only 21% of respondents have an internal communications team trained to field questions and concerns from the people affected by a breach
- Only 11% of organizations verify that contact with each victim has been completed, and
- Only 10% get feedback from victims about the quality and effectiveness of the notification.