It might be tempting to think of the lax IT security practices that led to the massive data breach on state computers in South Carolina recently as an outlier. Think again.
Research has repeatedly shown (two of many examples are here and here) that a majority of businesses neglect basic IT security practices. If you don’t believe the studies, just follow the news for a few days and you’ll find plenty of proof. It happens every day, endangering customer and employee data and putting companies at risk of big compliance problems.
In South Carolina, hackers from abroad raided a state server that held taxpayer and credit card information for millions of people. About 3.6 million social security numbers and 387,000 credit card numbers were exposed. Why? All because the state hadn’t taken even the most basic steps. Of the credit card numbers, 16,000 were stored without encryption.
Two recent surveys – one of IT security professionals and the other of small businesses – indicate many people still don’t take network security seriously.
The National Cyber Security Alliance, a partnership between the tech industry and the U.S. Department of Homeland Security, surveyed businesses with fewer than 250 employees. Shockingly, although an overwhelming majority of businesses (87 percent) use the Internet every day – and even though 77 percent think having strong cyber security and online safety posture is good for their company’s brand – most still aren’t doing anything about it. For example:
- 87 percent do not have a formal, written Internet security policy for employees. Sixty-nine percent don’t even have an informal Internet security policy for employees.
- 47 percent say a data breach at their business would be viewed as an isolated incident without impact.
- 59 percent say they have no contingency plan outlining procedures for responding to and reporting a data breach such as a loss of customer, credit/debit card information or intellectual property.
- 69 percent said they attempt to manage IT security and management in-house. Meanwhile, 11 percent said no one is responsible for online and cyber security at their business.
- 82 percent have no policies or permissions in place to manage access to company information and/or services when an employee is terminated.
At the same time, a new study of 127 IT security experts around the world found that the increasingly complex nature of network security environments – more devices, more apps, more vendors, more reliance on the Internet – mean cyberspace is getting more dangerous all the time. Among the findings: An astounding 75 percent of organizations still manage their network security manually, even among the largest companies.
But it doesn’t have to be you
One big step to heading off potentially disastrous problems is to bring in security experts prevent data loss and ensure IT compliance. Beyond that, experts recommend taking these steps to eliminate system vulnerabilities and shut down every possible avenue:
Head ‘em off at the pass: Shut down the ways hackers get in. That means default password violations, SQL injections, targeted malware attacks. Beyond core systems protection, you need automated IT compliance controls assessment, messaging security and other measures.
Data and intelligence: Identify threats by correlating real-time alerts with global intelligence. Security information and event management systems should be used to flag suspicious network activity.
Guard the castle: It’s no longer enough to defend your perimeter. Today, you need to identify and proactively protect sensitive information wherever it is stored, sent or used.
Automate security through compliance controls: You need automated, regular checks on controls such as password settings, server and firewall configurations, among others.
Prevent data exfiltration: Even if an incursion is successful, network software can still be used to detect the breach and keep data from being sent out.
Integration: It’s essential to have a data breach prevention and response plan that is integrated in day-to-day operations on your security team. Using technology to monitor and protect information allows your security team to focus constantly on strategy and reducing risk.