Too many businesses are still putting their customer and commercial data at risk by failing to patch their systems and follow basic security practices, according to a recent report.
In the tests, nearly half (44%) the firms penetration tested were vulnerable to brute-force login attacks, which means that their staff were not using sufficiently secure passwords that can be “guessed” by trying thousands or millions of combinations per minute. Whilst most passwords can be cracked via brute force eventually, many people make it easier by either using simple dictionary words or passwords they have used elsewhere and have already been compromised in on of the large-scale hacks in recent years of places like Adobe, LinkedIn, or Yahoo.
Poor passwords are an ongoing issue, but companies should also be able to spot brute-force attacks and block them before they have tried enough passwords to break through. Most authentication and identity management systems today block such attacks by limiting false inputs from IPs and other more advanced analytics.
Beyond login vulnerabilities, nearly a third (31%) of the companies tested were at risk of the WannaCry ransomware, a nefarious worm that encrypts data and ransoms the user, and that caused significant issues for a number of infrastructure firms around the world, including the UK’s NHS. Whilst the impact of the randomsware was limited thanks to a security researcher discovering a “kill-switch”, it highlighted how vulnerable the IT systems of many businesses and government departments were to new digital threats.
Far too many businesses failed the phishing tests too, with more than a quarter (26%) of employees clicking links in phishing emails, showing themselves vulnerable to generalised phishing attacks and even more so for targeted so-called “spear-phishing” campaigns. Whilst in these tests, the links clicked were not fraudulent, those that clicked through could put both their own laptop and the company’s wider infrastructure at risk if they unknowingly divulge their passwords.
How to combat these risks?
Cybersecurity is a game of cat-and-mouse, with hackers always finding new vulnerabilities to exploit and software and security companies developing patches to secure their systems, so the first thing for any company to do is to keep their software up-to-date. No-one should be clicking “remind me later” on updates for months on end – these patches should be applied as soon as possible.
Even companies with secure infrastructure can be vulnerable to employees failing to keep their own computers secure, and so utilising Windows desktop virtualization allows companies to lock down the desktop of their users from a security perspective, whilst still giving them the freedom to do their jobs.
And lastly, it is more important than ever for everyone to use strong and unique passwords for every service they use. We all login to dozens or more websites and services every day, so remembering these is near impossible, so a password manager like LastPass, Dashlane, and 1Pass are now a must for business and home use.
Photograph by Typography Images