47% of SMBs don't understand how to protect their organizations' technology from ever-increasing security threats. This number is so high because security is often an afterthought, mainly due to security being unseen. It typically doesn't affect business performance or ROI until it's too late – a data breach occurs, or information is inaccessible. This causes severe business disruption through downtime and can be costly financially. We help many of these organizations pinpoint areas of vulnerability.
After working with many businesses over the years, we see a common trend. Firstly, about half the companies we talk with think their technology is working fine, and there are no security issues. The other half will acknowledge they likely have areas of improvement but don't know where they could be vulnerable. In both cases, when we dig into a security audit, we always find something to improve on to ensure their business continues to operate, and they are best enabled to grow.
An example of this is a software company that we recently did a security assessment for. We found a file with all their company passwords that everyone could see – coincidentally with, you guessed it, no password. Company leadership didn't know that file existed. We found it easily since it was in the top-level directory. Any hacker who gained access to their system would find it easily as well and would have had access to everything within their company. Sensitive data is often stored in places no one intended, causing it to be forgotten and potentially accessible to users without proper permissions.
Another company's security assessment revealed a massive breach that had been exploited. We found that an unknown actor accessed their system two years prior. They literally had keys to the castle and were inside the walls, just waiting for the right time to act. Fortunately, we caught it in time to secure the system and lock them out before harm could be done, but this was lucky. We don’t want to rely on lucky timing when it comes to security! Simple patching and monitoring could have prevented the breach from ever happening, and when asked, the previous "IT Guy" said he didn't patch because everything was "behind a firewall." Unfortunately, while that was true, services were available through the firewall that needed to be patched.
Here are a few ways to avoid a security vulnerability.
- Ensure only currently employed user accounts are active. Half of all user accounts are dormant and are favored targets for cyber criminals.
- Keep systems inventory updated and identify what is authorized for use. Unaccounted for systems are a key vector for attackers. In 2017, manufacturing companies were hit hard by the WannaCry ransomware attack because many of them used unsupported legacy systems.
- Give end-users only the level of permissions they need to do their jobs. An often-overlooked aspect of security is that end-users may have too many account privileges or may not be authorized to have accounts in the first place.
- Deploy patches as they are released. 60% of companies that have experienced security breaches say they could have occurred because a patch was not applied. Regular patching is necessary.
- Educate all your employees about what suspicious emails look like. Email is the biggest vector for attacks. Despite transition to fileless attacks and phishing, attachments are nevertheless a common way to be breached. Filtering and mail scanning helps, but making sure end users know how attacks can happen and what to do when something looks suspicious makes a big difference.
These are just a few ways you can help to secure your technology environment. If you want to talk with us about how we can help, please reach out. Our team can do a quick security assessment to identify vulnerabilities and what you should fix to ensure your business continues to operate successfully.