The global damage of cybercrime has risen to an average of $11 million per minute.
The costs of falling victim to a cyberattack can include loss of business, productivity losses, reparation costs for customers that have had data stolen, and more. Sixty percent of small and mid-sized companies close their doors within six months of a data breach because they can't afford the costs.
You may think that this means investing more in cybersecurity. Indeed, businesses need appropriate IT security safeguards (anti-malware, firewall, etc.). However, many of the most damaging breaches are due to common cybersecurity mistakes that companies and their employees make.
For over 25 years, WEBIT Services has helped hundreds of clients build effective IT strategies and security practices.
By reading this article, you will learn five preventable cybersecurity mistakes and why they matter.
5 Preventable cybersecurity mistakes
The 2021 Sophos Threat Report, which looked at thousands of global data breaches, found that "everyday threats" were some of the most dangerous. The report stated, "A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we've investigated."
Here are five common missteps regarding basic IT security best practices.
1. Not implementing multi-factor authentication (MFA)
Not protecting your user logins with multi-factor authentication is a common mistake that leaves companies at a much higher risk of security breaches.
According to IGM Security, credential theft has become the top cause of data breaches worldwide. With most company processes and data now being cloud-based, login credentials hold the key to multiple types of attacks on company networks.
MFA reduces fraudulent sign-in attempts by a staggering 99.9%.
2. Ignoring the use of Shadow IT
Shadow IT occurs when employees use cloud applications that the company hasn't approved.
Shadow IT use leaves companies at risk for several reasons:
- Data may be used in a non-secure application.
- Data isn't included in company backup strategies.
- If the employee leaves, the data could be lost.
- The app being used might not meet company compliance requirements.
Employees often begin using apps independently because they're trying to fill a gap in their workflow and are unaware of the risks involved with using an app that their company's IT team hasn't vetted.
It's essential to have cloud-use policies that clearly explain the applications that can and cannot be used for work.
3. Using only an antivirus application
No matter how small your business, a simple antivirus application is not enough to protect you.
Many of today's threats don't use a malicious file at all.
Phishing emails contain commands sent to legitimate PC systems that aren't flagged as viruses or malware. Phishing also often uses links rather than file attachments to send users to malicious sites. Those links won't get caught by simple antivirus solutions.
You need to have a multi-layered strategy in place that includes tools like:
- Next-gen anti-malware (uses AI and machine learning)
- Next-gen firewall
- Email filtering
- DNS filtering
- Automated application and cloud security policies
- Cloud access monitoring
4. Not having device management In place
After the pandemic, a majority of companies around the world have had employees working remotely from home. However, device management for remote employee devices hasn't always been put in place.
If you're not managing security or data access for all the endpoints (company and employee-owned) in your business, you're at a higher risk of a data breach.
If you don't have one already, it's time to implement a device management application like Intune in Microsoft 365.
5. Not providing adequate IT security training
An astonishing 95% of cybersecurity breaches are caused by human error. But unfortunately, too many companies don't take the time to train their employees in solid cybersecurity practices regularly. In turn, users haven't developed the skills needed for a culture of good cybersecurity.
Employee IT security awareness training should be done throughout the year, not just annually or during an onboarding process. The more you keep IT security front and center, the better equipped your team will be to identify phishing attacks and follow proper data handling procedures.
Some ways to infuse cybersecurity training into your company culture include:
- Short training videos
- IT security posters
- Team training sessions
- Cybersecurity tips in company newsletters
Next steps for building more effective IT security
As cybersecurity risks grow, it's important to employ effective security tools and practices and update them as necessary. Otherwise, your company may create preventable vulnerabilities and expose itself to unnecessary risks.
Some common cybersecurity mistakes include:
- Not implementing multi-factor authentication
- Ignoring the use of Shadow IT
- Using only an antivirus application
- Not having device management In place
- Not providing adequate IT security training
If you are unsure of your organization's email security tools or practices, talk to your IT provider or internal IT team.
If you don't currently have security tools or practices, your IT provider or team can help you find ones that will best meet your company's security needs.
Suppose your IT provider or team does not know what you're using, does not encourage use, or refuses to employ proper security practices outlined by a security framework. In that case, it may be time to reconsider your partnership.
WEBIT Services has established cybersecurity practices rooted in frameworks for hundreds of clients. In addition, it is passionate about education and effective cybersecurity.
If you are looking for a new provider or have questions about cybersecurity, schedule a free 30-minute consultation to see how WEBIT can help.
If you are not ready to make a commitment but want to learn more about cybersecurity, we recommend the following articles: