At least once in your life, you've been cyberpwned. Also, chances are that you know exactly what triggered the successful attack.
In the modern world, we all know the best cybersecurity practices. In theory. But it's the worst practices that cause all the problems. And sometimes, even the best of the best, the IT pros, tend to forget what you should not do.
In this article, we will discuss the worst cybersecurity practices you might have seen, practiced, or been hit for.
Bad Practice #1: ”It Won't Happen to Me”
Nobody likes to think about possible bad things happening in their lives. These are troubling thoughts that don't make your life easier, and nobody says that life is easy in the first place. But how does that habit turn out to be one of the worst cybersecurity practices?
You see, your network is under constant attack. Malefactors seek loopholes, there are bots that search for open ports, and dozens of phishing emails are sent to you and your end users daily.
And the chances that at least one of these attacks will be successful are alarmingly high. At this point, some might say that such attacks are aimed exclusively at enterprise-grade businesses, and ”It won't happen to my small company.” However, such an opinion is a big mistake.
Yes, cybercriminals are aiming for enterprise-grade companies for the enterprise-grade ransom. But they typically face enterprise-grade cybersecurity policies and tech. When we talk about small and medium-sized companies, yes, the average amount of ransom paid is probably smaller, but the chances that smaller companies will have thorough cyber-protection are also significantly lower.
According to Purplesec, 44% of small businesses were hit by ransomware at least once in previous years, and 48% were hit multiple times. And about 70% of small businesses are not protected well enough against cyberattacks.
So why exactly does this ”it won't happen to us” thought emerge? It's because of the expected expenses and the complexity of adopting thorough cybersecurity solutions. Yes, it's expensive and you won't have budgeted for the full-on SIEM suite and an additional security engineer. And then comes the complexity factor. You need to audit, fix, maintain, manage, and set up, and do this regularly.
In the end, most people tend to start thinking, ”Well, it's too expensive and complex for us. And after all, attacks are aimed at enterprises.”
Bad Practice #2: Being Careless About Recent Attacks
So, you've been breached. You have successfully recovered and fixed the consequences. Some tend to think that this will be enough, since you've recovered. Not so. At this point, what you should do is to perform a security audit to find and fix the flaws in your network that made the attack possible.
On the other hand, you shouldn’t be ignorant about the attacks happening to others. Check out the news and determine whether there are new attack patterns that you can learn from to protect your infrastructure.
Bad Practice #3: Staying Basic
Attacks evolve and the malefactors are using new ways to sneak through your defenses each year. And the cybersecurity market has answers to this. New tools and approaches emerge, not to mention the new complex platforms that can defend your infrastructure as a whole.
So what you really shouldn't do is stay with the same ”good old” apps that you've been using for ages.
Bad Practice #4: Poor Password Security Rules
Your password policy is the first frontier for most attacks aimed at your network, your email services, and your cloud applications. As soon as you start thinking, ”I’ll use ’123456admin’ as the password here, since no one will ever try to intrude into this service,” you're laying yourself open to an upcoming disaster.
Also, there are two more worst password security practices that you should be aware of:
- Let your users choose their passwords. Believe it or not, no user will choose a really safe password. It will be their dog’s name 9 times out of 10.
- Grant your users admin access. Some tech people tend to give their user administrator access while troubleshooting, and then forget about it. That's not a security loophole, it’s a security nightmare – a great opportunity to intrude into your whole network through your user's machine.
Bad Practice #5: No Proper Documentation
Once your passwords are secure and strong, your network is well protected, and your applications are up-to-date, it's time to up-level your security policies. You should create proper documentation, including your incident response plans and postmortems of recent incidents.
The reason for this is simple. Ask yourself, do you have an action plan against a successful ransomware intrusion? And do your end users know how to act if they notice such an intrusion, and whom to notify? If you have a well-documented and acknowledged incident response plan, and your employees and tech staffers are trained in accordance with it, only then you will be able to notice the attack in time and minimize its consequences.
Bad Practice #6: Mindless Adoption of New Technology
Some CEOs and CTOs tend to follow every technological trend on the market. And sometimes this makes your network, infrastructure, and application portfolio a chaotic and unmanageable mess. You will face dozens of integrations, a lot of interconnected security rules, and more passwords for the end users than you can safely manage.
All that raises the number of possible attack vectors. Don’t get me wrong, though; you should not be afraid of new technology. Most times it’s essential when you need to up-level your company’s operational potential. It’s adopting it without a proper plan in the first place that makes things uncontrollable.
Bad Practice #7: No Audits or Assessments
Nowadays, even when you are running a fairly small organization, you are managing at least a dozen interconnected cloud and local applications, and network services. Not to mention that after the pandemic there is a strong culture of working from home, which means that your resources are decentralized.
Thus, you are either overattentive to what happens to your network, or you ”set it and forget it”, until some lucky malefactor finds a hole in your infrastructure and uses it.
Further reading IT Security Audit: A Comprehensive Guide
Bad Practice #8: No Security Awareness Training in Place
Some say, ”It's always DNS,” when their network is down. Others say, “It's always end users,” when an attack happens. Both these parties are right, at least to some extent.
Many attacks are aimed at end users in the hope that they lack training. There are different types of such attacks: phishing and spear-phishing emails that are designed to fool people into downloading corrupted files; brute force attacks on weak passwords; and social engineering to discover the strong ones, to name just a few examples.
And normal people focused on doing their jobs rather than on everyday cybersecurity training are simply not prepared for all this. So it's unfair to make fun of or be angry with users who fail to comply with standards and practices. They have no idea about such practices in the first place.
Without proper education and regular training, your users will be the biggest glaring hole in your cybersecurity. Although experienced system administrators know that, even with proper training, most users tend to forget things and mix them up, at least some of them will pay attention to the emails they open next time.
Further reading Ransomware Awareness Training: How Are You Talking to Customers About Ransomware?
The Worst Practice: No Disaster Recovery
Building a production environment with no setup or tested backups is like jumping out of a plane with only one parachute. Nine times out of ten it will open, for sure, but the tenth jump won't be fun.
No matter how secure your network is or how good your users are in not downloading corrupted files, there are still chances of being hacked. And they are quite high, as you can see from the statistics above. Your backup and disaster recovery practices are the last, the essential, line of defense in the cybersecurity world.
Further reading Disaster Recovery Planning Checklist
Imagine for a minute: What will happen if all your production data is crypto-locked and you cannot recover it from your backups. I think that at this point hundreds of thousands of dollars in losses and even possible bankruptcy are flashing before your eyes. And that's not an exaggeration; that's exactly how much losing your data could cost your company.