Keeping your network safe is one of the most important things you can do for your business, especially for organizations that collect customer data. Of course, there are areas that might be missed, and we will be reviewing some of these commonly missed areas. Obvious holes such as not having a firewall wonât be addressed, though of course you should certainly have a firewall.
Itâs easy to forget about your hardware and leave it be, running on an operating system that had been around during a previous US presidentâs administration simply because it seems to be working. While the application itself might be functioning, at a security level you've basically given hackers and other malicious entities the key to the city if said ancient OS is XP, and the day of reckoning isn't far off if it is Server 2003. Most attacks and exploits take advantage of older code to get into your system and steal data and cause other types of havoc. The same thing applies to the age of the actual server - older servers might simply be drawing power because their 'application' might not even be used anymore, causing more work for updates, and increasing your bill while a newer machine can function for multiple older ones by leveraging virtualization.
Having an unsecured server holding any type of confidential data, even a server that never connects to the internet, is a horrible idea. Just because the server canât be attacked from the web (in theory) doesn't mean that a physical attack in the real world wonât break into your data. Even if the physical threat were the only threat is reason enough to protect these machines, but if any internet-connected machines do talk to this server, then attackers can steal data through man-in-the-middle attacks and steal data while it is transmitted or downloaded from the server in question. Of course, hackers could also crack into the accessing PC/Tablet/Mobile getting the data from the server and take over that piece entirely, giving them another way to get to this defenseless server. Itâs just not a good idea.
Not testing the network
Letâs say that you have done everything by the book - installed a firewall, everything is secured, and as far as you can tell everything is done. Itâs time to go out, enjoy the fact that you are safe and celebrate, right? Wrong - work in the security field is never truly done. Updates come out constantly for various pieces of software, and while a network configuration was ideal when you first installed everything, something might have broken as adjustments are made over time. Itâs important to constantly check your work and try to break in yourself (or hire a consultant to do it for you) to make sure that every door is locked and there is no way to get in, aside from stealing someoneâs credentials and getting the key anyway. On that noteâ¦
Educate your StaffSocial engineering, phishing attacks, and all the other nasty elements of the world of malware can easily rear its ugly head among staff members who donât know or understand that the nice prince from Nigeria trying to give them millions of dollars is really a fraud. Educate your team about these types of attacks, encourage them to use VPN access to access any files out of the office, and show them how to use encryption for sensitive data. Employees should also be encouraged to share with IT whenever they get odd emails or phone calls, or find anything on the web that could be disruptive. You can have all the walls in the world protecting your data, but if someone has the golden ticket to get inside thanks to a duped employee than none of it really matters. If you are in the IT industry and provide managed services to your clients, all of this should be communicated to the client-base as well.