“Mistakes were made” may be the most common PR response coming from an enterprise, when their security has been breached. It’s also the most diplomatic…and least helpful response. Why couldn’t these mistakes been spotted much earlier? Before PR spin was ever needed?
Following a data breach, hack or other compromise to infrastructure or assets, a post-mortem is usually conducted to look at what went wrong. More often than not, senior leaders are surprised and dismayed by what they hear — at the processes or policies that were overlooked, or by the risks they didn’t realize existed.
Acknowledging errors is merely table stakes, however. CISOs and their colleagues need to get one step ahead by offering better education and training, addressing areas of vulnerability and building a “security-first” culture.
Begin that journey by not falling prey to any of the following:
- The ’1, 2, 3, 4, Open Door’ Mistake
It’s one of the oldest security blunders in the book, but too many companies fail to enforce strong password policies. The right tools and technology will ensure passwords are better then “admin” or “1234,” but think about how you can make the job easier early on. It could be a lunch n’ learn that demonstrates how cyberattacks can begin by guessing an easy password, or information during employee on-boarding about how to create and update passwords.
- The ‘But I Didn’t Know They Could Do That!’ Mistake
You wouldn’t give the same degree of access to and control over information to a junior employee as you would the CEO. Would you? Establishing policies that spell out the degree of access and authorization up front is one of the best way to ensure insider threats such as disgruntled employees don’t blow up into data loss, business interruption or worse.
- The ‘I Thought They Still Worked Here’ Mistake
Employees may get an exit interview where they talk to HR and hand over their key fob, but system credentials can be left untouched long after staff depart in some cases. That’s a huge trap door that can be easily remedied by tools to monitor and close off access where it’s no longer necessary.
- The ‘But It Looked Legit!’ Mistake
Phishing schemes, where employees open an email message and click on attachments they shouldn’t, seems to trip up at least one company a year. Use an intranet, lunch n’ learn and any other opportunity to explain to your team what genuine communication from the company will look and sound like, and the kind of links they should report as soon as they spot them. Help the lessons stick by performing phishing awareness tests. But make sure they go beyond assessing employees’ knowledge of traditional scams — such as emails purporting to be from Paypal, Wells Fargo and UPS. On tests, emails from these sources get much lower click-through rates (1-5% range) than spear phishing campaigns, showing click-through rates upwards of 40-50%.
- The ‘I Just Left It For A Second’ Mistake
Mobile devices are great ways to empower employees to be productive outside the office — until they put them down and let others tamper with the applications they run. Even desktop systems can be compromise with offices that are left unlocked. An identity management strategy factor in the typical scenarios in which your team makes use of the tools you provide them — and ensure they’re safe from third parties who may happen to wind up with them.
If this list seems overwhelming, it’s a lot easier with a partner who can help address all these mistakes, and more. Simeio, for example, offers the Simeio Identity Orchestrator platform, designed to simplify the operation of complex, multi-vendor IAM and security infrastructures. Identify users, behavior patterns and bring more security to your perimeter.