Lacking security awareness training
Although the majority of companies do regularly cybersecurity training. However, most of them didn’t have a sustainable result.
Solutions:
The very basic quarterly/annual cybersecurity awareness training should include:
- Reasons for and importance of cybersecurity training
- Phishing and online scams
- Locking computers
- Password management
- Relevant examples of situations
Weak login passwords
Attackers use public profiles for potential password combinations and plug-in possibilities until one hit. They use dictionary attacks that automatically try different words until they find a match.
Solutions:
- Require employees to use unique passwords
- Add numbers and symbols to a password for increased security. Create rules that require employees to create unique, complex passwords of at least 12 characters; and change them if they ever have reason to believe that they have been compromised.
- Using a password manager software to automatically generate strong individual passwords for multiple apps, websites, and devices.
3rd party passwords/information breached
Air Canada mobile app breach affects 20,000 people
Solutions:
- Don’t let any online payment system store your PII and PCI DSS related data.
- Using different passwords for every sign-up.
Flat internal network
Most companies don’t compartmentalize data and also have a flatten internal network. Everyone from interns to board members or attackers from outside can access the same company files.
Solutions:
- Isolating all different networks into private networks.
- Set up tiered levels of access, giving permission only to those who need it on each level.
- Limit the number of people who can change system configurations.
- Don’t provide employees with admin privileges to their devices unless they really require such setup. Even employees with admin rights should only use them as needed, not routinely.
- Enforce dual sign-off before payments over a certain amount can be processed to combat CEO fraud.
Out-of-date OS or Antivirus Software
Company or personal computers should deploy OS and antivirus software in an update-to-date approach.
Solutions:
- Get rid of all out-of-date OS or physically isolating all legacy OS.
- Set up all system updates to take place after work hours automatically.
- Don’t let any employee, no matter what their title, opt out of this company policy.
Opening emails malware/fishing links
Unknown links, attachment inside an email, will release a virus that gives cybercriminals a backdoor into your internal network.
Solutions:
- Advise employees not to open emails from people they don’t know.
- Advise employees to never open unknown attachments or links.
Opening Adware
Accidentally opened Adware will cause backdoor or malware to your computer.
Solutions:
- Security awareness training.
- Up-to-date web browser and antivirus.
Unsecure mobile devices
Unsecure or unmanaged mobile devices can be the targets.
Solutions:
- Every device should be password protected.
- If a device is lost or stolen, have a point of contact to report this to and steps taken to deactivate the device remotely.
- Use endpoint security solutions to manage mobile devices remotely.
- Don’t conduct confidential transactions using untrusted public Wi-Fi.
Unsecure configuration
Unsecure configuration is the most underrated threat to cybersecurity.
Solutions:
- Applying a secure configuration policy for all IT devices.
- Applying a secure configuration baseline and guideline.
- Applying security assessment.
Zero-day/APT attacks
A zero-day vulnerability is a vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating it. An advanced persistent threat (APT) is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.
Solutions:
- Multi-layer defense and zero-trust network.
Request a solution for your business