For much of the past decade, the biggest security mistakes have boiled down to fumbling some basic tech security practices.
Find out what these mistakes are and how to mitigate your risk.
1. Falling Victim To Phishing
The biggest security breach in history, targeted at Yahoo, affected more than 3 billion accounts in total.
Russian agents hired hackers to infiltrate Yahoo’s user database that contained:
- Names
- Phone numbers
- Password challenge questions and answers
- Password recovery emails
- A cryptographic value unique to each account
The Russians used this information to access certain accounts.
CSO’s analysis of FBI documents reveal that the Russians did this by sending a spear-phishing link via email.
“It's unclear how many employees were targeted and how many emails were sent,” CSO writes, “but it only takes one person to click on a link, and it happened.”
A business’s employees must be aware of phishing attacks and how to avoid them.
2. Not Having Robust Security Practices
Former Equifax CEO Richard Smith testified before the Digital Commerce and Consumer Protection committee that one person was responsible for the data breach that exposed the Social Security numbers and driver’s licenses of 143 million people in 2017.
He said that on March 8, a team noticed “the need to patch a particular vulnerability.” The company then sent an email to the appropriate personnel responsible to deploy the software upgrades within 48 hours.
“The notion that just one person didn’t do their job and led to the biggest breach in history is quite an amazing claim and shows a fundamental lack of good security practices,” writes Sarah Buhr at TechCrunch.
Regardless of how the breach happened, there are two important takeaways about the Equifax breach.
First and foremost, have a security plan at your organization. Secondly, if the lack of patch deployment was the culprit, that points the need for applying timely software updates.
3. Failing To Enable Multifactor Authentication
The Guardian broke in 2016 that hackers had access to Deloitte’s 350 clients’:
- Usernames
- Passwords
- IP addresses
- Architectural diagrams for businesses
- Health information
The hackers exploited an administrator’s lack of multifactor authentication, also known as two-factor authentication or 2FA. “The account required only a single password,” says The Guardian.
Credential theft is preventable by enabling multifactor authentication.
4. Being Non-Compliant
In 2008, hackers stole more than 130 million credit and debit card numbers from payroll processing company Heartland Payment Systems.
The fallout from this breach continues more than a decade later. Dark Reading reports that two insurers have sought restitution from the security vendor who certified Heartland as PCI DSS-compliant.
In 2009, a Visa executive challenged Heartland’s compliance, saying that a compliant business had never been breached. Visa even investigated Heartland and found multiple violations.
Overall, you can do a few things to mitigate security risks for your business.
- Draft stringent security policies.
- Educate your team about phishing and other social engineering strategies.
- Enable multifactor authentication.
- Ensure compliance.
Rise above these tech security mistakes.