Security breaches again made big news in 2014. Yet despite years of headline stories about security leaks and distributed denial-of-service (DDoS) attacks and repeated admonishments from security professionals that businesses (and individuals) needed to do a better job protecting sensitive data, many businesses are still unprepared or not properly protected from a variety of security threats.
Indeed, according to Trustwave's recent 2014 State of Risk Report, which surveyed 476 IT professionals about security weaknesses, a majority of businesses had no or only a partial system in place for controlling and tracking sensitive data.
So, what can companies do to better protect themselves and their customers', sensitive data from security threats? CIO.com queried dozens of security and IT experts to find out. Following are the six most likely sources, or causes, of security breaches and what businesses can, and should, do to protect against them.
Risk No. 1: Disgruntled Employees
"Internal attacks are one of the biggest threats facing your data and systems," states Cortney Thompson, CTO of Green House Data. "Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers and admin accounts, can cause serious damage," he says. Indeed, "there [were] rumors that the Sony hack was not [carried out by] North Korea but [was actually] an inside job.
Solution: "The first step in mitigating the risk of privileged account exploitation is to identify all privileged accounts and credentials [and] immediately terminate those that are no longer in use or are connected to employees that are no longer at the company," says Adam Bosnian, executive vice president, CyberArk.
"Next, closely monitor, control and manage privileged credentials to prevent exploitation. Finally, companies should implement necessary protocols and infrastructure to track, log and record privileged account activity [and create alerts, to] allow for a quick response to malicious activity and mitigate potential damage early in the attack cycle."
Risk No. 2: Careless or Uninformed Employees
"A careless worker who forgets [his] unlocked iPhone in a taxi is as dangerous as a disgruntled user who maliciously leaks information to a competitor," says Ray Potter, CEO, SafeLogic. Similarly, employees who are not trained in security best practices and have weak passwords, visit unauthorized websites and/or click on links in suspicious emails or open email attachments pose an enormous security threat to their employers' systems and data."
Solution: "Train employees on cyber security best practices and offer ongoing support," says Bill Carey, vice presdient of Marketing for RoboForm. "Some employees may not know how to protect themselves online, which can put your business data at risk," he explains. So it's essential to "hold training sessions to help employees learn how to manage passwords and avoid hacking through criminal activity like phishing and keylogger scams. Then provide ongoing support to make sure employees have the resources they need."
Sign up for Computerworld eNewsletters.