It’s a fact that every business needs to accept: everyone is at risk of a cyber-attack. What’s unfortunate is how many companies aren’t taking this seriously.
There are a host of basic best practices that a majority of corporate networks are failing to implement, and it’s leaving them critically vulnerable.
At the very minimum, there are four things every business should be doing to protect their online presence and to protect their customers from the fallout from a cyber-attack: instituting employee password policies; encrypting and hashing sensitive information; hosting their whole site over HTTPS; and keeping their software up-to-date.
If anything in the cybersecurity industry can be called an epidemic, it has to be bad password habits. It’s a serious problem, and one that has been poorly addressed. People are using poorly designed passwords, and they’re using them for a multitude of online profiles, meaning that if their login is cracked once, it’s cracked everywhere.
Part of the problem is how we’ve addressed it so far. Some websites and systems take it upon themselves to enforce password requirements mechanically, rejecting passwords for new profiles unless they meet certain criteria. This is problematic for two reasons: first, when faced with the prospect of having to generate yet another complicated “P@s5w0rd!” the user either comes up with something painfully simple and easy to guess with a dictionary attack, or they reuse a password that has worked in the past. Neither is a safe practice.
The other problem is on the hacker’s side. If they know that a website requires a number, a capital, and a special character, then they can trim their dictionary attack, removing all options that don’t include those values. So rather than making the passwords harder to crack, it actually makes it a lot easier.
The matter has been discussed by a number of very smart people, who have all commented on how flawed the system is. While the issue is hard to address with the general public (who tend to use paths of least resistance), something can definitely be done with regards to employees of a company. Good password habits (including the optional use of a password manager) can and should be taught, and a password policy instituted. It won’t fix every case, but a majority of people can get on board, it will significantly reduce the risk of intrusion.
Encryption and Hashing
For reasons that are hard to fathom, many businesses are still keeping sensitive information stored in cleartext. Everything from customer information to login passwords are left vulnerable and unguarded, just waiting for someone to guess the manager’s “justinbieber4eva” password and gain root privileges.
This is a basic practice that so many have neglected; hash what you can, encrypt everything else. Even in smaller businesses that don’t always have access to the same level of cyber talent, it’s not that hard to get in touch with experts who can help with that sort of thing.
HTTPS came out in all the way back in 2000. Nearly 20 years later, and data transfer protocols are still a serious issue. The sooner each business gets on the bandwagon and hosts their whole website over HTTPS, the sooner we can migrate the majority of the internet to more secure protocols.
The reason it’s important to host the whole website on HTTPS is that leaving portions of the site unencrypted leaves a backdoor access to more sensitive areas for hackers. We’re past the point where just encrypting the page where you enter credit card information is good enough. If you have an online presence, it should be hosted on HTTPS. What’s more, keeping keys and certificates in order is also important. The whole system is essentially useless if unscrupulous individuals gain access to valid certificates.
The uninitiated think software updates are annoying. The rest of us, though, are well aware that, in many cases, the updates are all that stand between you and the hacker. If you’re one of the enlightened, be sure you’re spreading the word at your company, so that those with administrator privileges are keeping things up-to-date.
If you aren’t aware, here’s your infosec crash course. Software updates do three things: fix bugs, add features, and plug security holes. Without software patches, when a hacker learns to exploit a flaw in the software, there’s nothing stopping them, or any of their friends they talk to about the hole. When developers find these gaps in security, they patch them. You shouldn’t be frustrated that Microsoft or Apple just pushed out another update for the OS. You should be thanking them.
If we, and the businesses we work for, could catch up in these four areas, it would go a long way towards defending against incursion. It’s true that no system is 100% secure. Let’s be honest though; the ones we’ve got now could do a lot better.