Data breaches can be catastrophic for businesses, costing millions in damages. As a business owner, it’s critical to understand the data security mistakes that leave you vulnerable. By avoiding common errors, you can better protect your systems and data.
Failing to Encrypt Sensitive Data
Why Encryption Matters
Encryption encodes data so that only authorized parties can access it. It’s one of the most fundamental data security measures. Without encryption, sensitive information is vulnerable to interception by cybercriminals.
Some types of data that should always be encrypted:
- Customer data like names, addresses, social security numbers, and payment card information
- Intellectual property such as proprietary source code and trade secrets
- Employee data including payroll and health information
- Business financial data like accounting records and bank statements
Real-World Examples
Failing to utilize encryption has led to massive damages in real-world breaches:
- In 2013, Target had 40 million payment cards stolen, costing over $200 million in expenses. The data was unencrypted.
- In 2018, Exactis leaked 340 million records due to an unprotected database. Most data was unencrypted.
Bottom Line
- Use strong encryption like AES-256 for maximum protection of sensitive data.
- Encrypt data in transit and at rest. Data should remain encrypted even when stored on servers.
- Consult experts to determine the right encryption strategies for your business. Poor implementation can render encryption useless.
Failing to Patch Known Software Vulnerabilities
The Risks of Unpatched Software
When vulnerabilities in software are discovered, vendors issue patches to address the flaws. Failing to promptly install patches leaves you exposed to attacks. Hackers can exploit known vulnerabilities to breach systems and steal data.
- In 2017, the WannaCry ransomware infected over 200,000 computers by exploiting unpatched Windows systems. Damages topped $4 billion.
- In the 2013 Target breach, attackers first gained access by exploiting an unpatched web server. This provided the foothold to eventually steal payment card data.
Prioritizing the Patching Process
- Use automated tools to inventory hardware and software to know what needs patching.
- Monitor vendor notices about new patches and vulnerabilities.
- Patch critical vulnerabilities first – prioritize based on severity and exploitiability.
- Test patches on non-production systems first to avoid disruptions.
- Set up automated patch management processes to remove human error.
The Takeaway
Neglecting to patch is like leaving your doors and windows wide open for hackers. Prioritizing and automating patching is crucial to avoid massive exposure.
Using Weak or Reused Passwords
Why Strong Passwords Matter
Weak passwords can easily be guessed or cracked with brute force, allowing unauthorized access.
Some common password mistakes:
- Using simple passwords like “123456” or “password”.
- Reusing the same credentials across multiple sites.
- Failing to change default passwords.
When employees reuse passwords across work and personal accounts, a breach of any of those accounts can compromise your entire business.
Best Practices for Passwords
Every account should have a long, complex, unique password:
- Use 12+ characters – longer is better.
- Combine letters, numbers and symbols.
- Avoid common words, phrases and patterns.
- Use a unique password for each account.
- Change passwords periodically – at least every 90 days.
- Use a password manager to generate and store passwords.
Enable multi-factor authentication (MFA) for an added layer of protection beyond passwords.
The Cost of Weak Passwords
- Zynga was breached in 2019 when an employee reused their corporate password. Data from 218 million Words with Friends players was accessed.
- LinkedIn, MySpace and Tumblr have all had major password-related breaches.
Key Takeaways
- Weak and reused passwords are involved in a majority of breaches.
- Establish and enforce strong password policies across your organization.
- Use MFA and password managers to improve security.
Allowing Too Many Users Administrative Access
The Dangers of Excess Access
Giving employees more access and privileges than necessary creates major risks:
- Admin accounts can access and modify sensitive systems and data.
- Malware infecting admin accounts can spread widely and cause more damage.
- Departing employees with lingering admin access provides a backdoor for malicious activity.
The principle of least privilege dictates that users should only get the minimum access required to do their jobs.
Identifying Excess Access
- Audit permissions and privileges periodically to look for unnecessary access.
- Monitor admin account usage to identify anomalies – infrequent usage can indicate stale access.
- Use role-based access controls to enforce need-to-know access.
Mitigating the Risks
- Immediately revoke admin access for employees changing roles or leaving the company.
- Limit local admin rights on user workstations – use centralized admin controls.
- Require multi-factor authentication for all admin access.
Sobering Statistics
- At Uber, attackers accessed 57 million customer records in 2016 by stealing login credentials from a GitHub repository accessible to engineers across the company.
- The US Office of Personnel Management breach exposed 21.5 million records partially due to widespread admin access at the agency.
Key Takeaways
- Excess admin privileges facilitate devastating breaches.
- Regularly review and limit access to only what is needed.
- Promptly deprovision departing employees.
Data breaches can cripple an organization financially and damage customer trust. By identifying and fixing security gaps, companies can help protect their valuable data from compromise. Prioritizing basic measures like encryption, patching and access controls substantially reduces your risk. With cyberthreats constantly evolving, data security requires ongoing vigilance.
