Having dealt with clients from numerous industries, I’ve noticed the many security vulnerabilities that constantly and consistently get overlooked - and altogether ignored.
In the ever-evolving world of information technology, the fight between good and evil is a stark constant. It is represented in a modern tint by hordes of salaried IT administrators using every tool at their disposal to combat the world’s increasingly clever hackers. This environment requires firms with priceless data to take a proactive, all-encompassing approach towards their security. A large budget doesn’t guarantee an airtight system, however, and even the largest corporations have been known to overlook many common security liabilities.
1. Open Source Isn’t as Safe as You Think
The average development process is much more informal and much less airtight than it used to be. With countless resources available via search engines, companies big and small can develop a functional web application with a bit of their own code, shortcuts offered by the numerous collaborative dev communities, and of course a plethora of open source components. Open source is becoming a more popular model because startups with budget constraints can enjoy free, functional software that is also constantly improving and evolving. These companies rarely have time or to build their own entire solutions from scratch, let alone go through the proper checkpoints.
Indeed, open source accounts for 80% of the codebase in modern applications. Therefore, development and security teams can no longer overlook known security vulnerabilities in open source components. Hackers have realized how lucrative these vulnerabilities are, as all information, including exploitation, is publicly available and one vulnerability may have dire consequences.
To combat vulnerabilities, many rely on platforms such as WhiteSource, an open source security management solution, which detects known vulnerabilities in real-time through the SDLC, including post-deployment. According to the company's research, the number of reported open source vulnerabilities rose by 51.2% in 2017.
2. Even the best people are error prone
Even the best IT employees are only human, and this means they cannot be completely error-free. All the more so for less tech savvy team members. Unfortunately for corporate networks, malware and opportunistic hackers only need to find one vulnerable PC, or one unwitting accomplice, to create a billion-dollar liability. That’s why it’s so important to make sure employees in all departments have a basic comprehension of best practices for data privacy and avoiding “social engineering” attacks.
Automated software can do a great deal to combat the gaps left by forgetful or untrained employees. Platforms that automate and manage patching, permissions, and other moving parts help IT administrators control the hundreds of loose ends that they’re faced with daily, but also their own shortcomings.
Another option is to use new tools that help train employees using technology and gamification, such as HoxHunt, which recently closed a Series A funding round to take its solution global. This platform’s AI engine connects to a firm’s network and monitors employees, learning their behavior and individual weaknesses, and then sends simulated phishing emails and other faux attacks that these employees are then rewarded for identifying.
3. A Compromised Internet of Things
Our growing Internet of Things is a vast network of interconnected smart appliances, retail electronics and countless other devices that can link together and stream data, but also be accessed from outside. Not only are these devices less secure on average, they’re also flying under the radar when it comes to corporate IT security practices. There are many devices that people don’t assume are IoT-enabled, which can be a threat when they enter corporate premises or when an employee works from home. An employee working from their couch might be accidentally holding open the door for hackers, who breached their home Wi-Fi network via a smart fridge or toaster.
With countless attack vectors for a savvy hacker to take, corporations need to address IoT security concerns sooner rather than later. Many companies are rising to the challenge using advanced Network Access Control (NAC) tools like FortiNAC that automate device discovery and help administrators visualize every device that is connected to their network. The platform also aids them with automating responses to specific devices when they connect, which vastly improves IT efficiency and flexibility.
4. Old IT Infrastructure
Whether due to a tight budget or a long workday, the age of a firm’s network infrastructure often goes overlooked. Corporate IT hardware manufacturers like Cisco, Alcatel, and HP (as large as they are) don’t have the resources to continually patch older models to protect against new attacks, and so they’re forced to end support for their phones and modems periodically, otherwise referred to as end-of-life. These non-updated devices are essentially dead in the water and ultimately represent low-hanging fruit for enterprising hackers.
IT maintainers should thoroughly record the serial numbers and purchase dates of all company equipment and log each manufacturer’s specific support termination date. They must also make room in the budget ahead of time to conduct sweeping device replacements when necessary and purchase new hardware rather than consider used options. This type of discipline is the only way to ensure that the firmware is sound on every single relevant device.
5. Making Data Mobile
The proliferation of laptops has meant that desktop PCs are no longer dominant, and this trend comes with severe consequences for security. Limitless mobility for computers is now ubiquitous, and people are bringing their laptops, tablets, and smartphones filled with sensitive company data into compromised environments every day. If businesses don’t take the proper steps to understand where their data is being held, and where these devices are traveling, they put themselves at unnecessary risk.
Increasingly mobile data is the broadest IT issue facing the sector today, and so it takes a comprehensive approach to tackle this for any company. This includes basic precautions such as training mobile workers to download files and data safely, manage their cloud preferences, learn to identify unsafe public Wi-Fi networks, and deploy tools like 2-factor authentication. There are also firewall products that require the device be thoroughly scanned before it can connect to a work server, for example.