Protecting sensitive data and maintaining strong cybersecurity practices has become paramount for companies of all sizes, with the global costs of cybercrime projected to reach $13 billion over the next five years. To help companies strengthen their digital defenses, here are six cybersecurity mistakes to avoid:
- Don't forget your phone system
With VoIP cloud telephony solutions, employees can access the enterprise wide from their mobile phones using VoIP handsets or browser softphones. This means they are connected wherever they are, via a computer or a mobile phone.
However, this mobility and accessibility also comes with security risks, says Euphoria Telecom CTO Nic Laschinger. “This needs to be mitigated on your network, ensure you have improved data security – firewalls, antivirus, anti-malware, etc. – and make sure your supplier does too.”
Your telephony provider can encrypt your voice data and routing information, using strong algorithms and encryption keys to protect the information from snoops (who want to listen in on your calls) and data theft. IPSec is the industry standard used to secure communications on the Internet.
- Don't work blindly
Tony Walt, co-founder and director of cybersecurity software company Port443, says many organizations get so caught up in the details of their security systems that they don't see the big picture.
“A big mistake many organizations make is seeing critical metrics, alerts and incidents across the entire ICT asset (cloud, network, security) in isolation. A small change in one area can have unforeseen consequences in another area. Therefore, it is essential to have visibility of all heritage”, Explica.
Companies that use systems vendors that don't offer real-time monitoring and reporting on downtime, security events and other incidents lose this critical visibility, says Charlotte Koep, COO of the insurtech Root platform.
“Downtime and platform vulnerabilities have important business impacts for enterprises. The insurance industry, for example, is a highly regulated space that deals with reams of personal data every day. Insurers need to be able to monitor and hold cloud service providers to account.
“This often leads to cumbersome manual reporting and monitoring of KPIs and SLAs, while next-generation cloud platform vendors are able to provide real-time, public-facing monitoring and visibility,” says Koep.
- Do not use manual systems
Walt says trying to manually distinguish the “alarms” offered by his security monitoring software is time-consuming and can leave companies exposed to cybercriminals.
“Expecting IT people to quickly and accurately distinguish between true positives, false positives, false negatives and true negatives is neither efficient nor safe. With the absolute increase in the volume of compromise incidents, automation is a necessity,” explains Walt.
- Don't forget your admin portals
Judy Winn, director of information security at Peach Payments, says that companies often forget to protect their back office portals and support systems with strong authentication practices.
“This includes strong passwords, good policies and practices for managing user access and activating two-factor authentication whenever this is offered by the systems”, he says.
- Check with your partners and suppliers
Winn says companies should clarify with their suppliers and partners who is responsible. Online retailers, for example, need to confirm what is the responsibility of their different technology providers, such as the payment gateway, website hosting providers and website developers.
“Also check with your vendors what controls and security measures they offer by default and what additional security measures are available or recommended,” suggests Winn.
Koep suggests that companies use trusted technology vendors that can demonstrate security controls are in place and, where possible, audited to a recognized standard such as SOC2, ISO3000 and similar ones.
- Train your employees – and your management
“Companies need to make sure all of their employees are aware of potential phishing attacks, social engineering and other cyberattacks that may be hitting them,” says Winn.
Koep says that companies cannot assume that outsourcing to the cloud transfers responsibility for security to the outsourced cloud provider.
“It is still necessary to ensure the existence of its own internal controls. Make sure your staff protects your credentials, is trained in security and privacy and does not introduce vulnerabilities in your systems or those of your technology provider”, he warns.
“The data shows that around 80% of recorded breaches today include a human element, such as misuse of privileges, social engineering and theft of usernames and passwords.”
And if you think training is only necessary for lower-level staff, think again. Walt notes that boards of directors and management are responsible (and can be held personally liable) for violations that affect the company, its customers and suppliers.
