Since the beginning of Digital Branding Ltd having a strong security at the same time as fast and powerful digital solutions has been our priority.
However, with the experience we have been gaining over the years we have realized that the security of a system does not lie in its strongest component, but in the weakest.
In our case we have been able to see first-hand how the interest in this subject is constantly overeste by users. Without understanding the risks and consequences of failures in the security of your systems and databases.
According to an IBM study, 95% of cybersecurity incidents are due to human error.
Therefore, we bring you the 7 most common mistakes that will help you limit the human error factor drastically.
Not protecting accesses correctly.
Unsecured Passwords
Do not encrypt the Hard Drives of computers
Not having Physical Security measures
Do not protect our equipment in-itinere
Connect to unsecured networks
Firewalls, VPNs and other protection measures
Relying on unsafe sources
Do not segment the information that employees have access to according to their need
Do not audit accesses and systems on a regular basis
Do not update security systems/software
Not trainig employees
Not knowing the risk of information
1. Not protecting accesses correctly
Properly protecting the accesses is something vital, having a complex and robust padlock is useless if the key capable of opening it is at the hand of the thief.
Weak passwords
One of the most important keys lies in using weak passwords.
From Digital Branding we recommend hiring a password management service. In this way we only have to remember a password. This must contain 12 characters and a combination of letters, numbers, and symbols.
In this way with a password manager we can define for all our accesses random passwords generated automatically with some tool. They could be up to 20 characters, different from each other and we would not have the need to remember them since that is what the password manager exists for.
Do not encrypt computers hard drives
We can consider it as the process by which readable information is transformed, by an algorithm, into unreadable and a special "key" is needed to decode it. This mechanism allows us to isolate our information from strangers and minimize the unwanted consequences they can generate.
Do not protect our equipment in-itinere
Although it can be easily overvisto, the physical theft of devices is more frequent than we think, with increasingly lighter devices, portable and with a black market with an extraordinary demand, we must take care of this aspect.
Monitoring our devices in public areas is crucial, as is taking care of the physical security of our facilities. Having the disk encrypted can be very useful, since in case of stealing the hard drive access to the information is greatly complicated.
Connect to unsecured networks
In many cases the network structure that we find from our customers is not the indicated one. We must bear in mind that the different networks that we have in our company must not have the ability to communicate with each other, they must be isolated.
In addition, it is important to review the external networks to which we connect since a network with a security that does not equal the minimum requirements according to current standards can facilitate that with a simple computer you can monitor our activity, impersonate the credentials of the server and access the data of ourcomputer.
Firewalls. VPNs and other protective measures.
A firewall is a network security appliance that monitors inbound and outbound traffic and decides whether to allow or block specific traffic based on a set of security restrictions already defined.
Firewalls have been the first line of defense in network security for more than 25 years. They establish a barrier between secure, controlled and reliable internal networks and unreliable external networks such as the Internet.
A VPN (virtual private network) is a technology that uses the Internet to connect to a specific location and thus be able to access certain services. This connection to the network can occur in several ways, but it generally uses encryption as a mechanism to secure communication between the user and the server.
2. Relying on unsafe sources
The first thing we must do is verify the source from which we receive the information we are going to open, share, download...At this point we will analyze common techniques of cyberattacks that use masked pages, malicious content and so on.
Open unsafe files sent by email and other sources
Phishing is one of the most common password theft techniques since recent years. Relying on the goodwill of users is often the most effective way to steal access to passwords.
Phishing is a cybercrime technique that uses fraud, deception, and cheating to manipulate its victims into revealing sensitive personal information.
A phishing attack has three components:
The attack is carried out using electronic communications, such as an email or a phone call.
The attacker impersonate a trusted person or organization.
The goal is to obtain sensitive personal information, such as login credentials or credit card numbers.
In the event that we must download a file or program and we do not know its source or its nature, it is advisable to do it in a virtual machine.
Connect to unsecured URLs and enter data
Like the previous point, knowing the direction we are going to access is of vital importance. The possible warnings that your browser may give about a page should never be ignored without knowledge.
Check the SSL certificate on the padlock at the beginning of the URL
Check if it's an ad: it searches for paid search engine results; the ads that appear at the top of the results pages.
Read the home page: take two minutes to review the website. Don't fall for the tricks of application forms before reading the full text. Sometimes, they even warn that the site is not the official one.
Check the web address: that a website ends up in .org does not guarantee that it is official. For example, in the case of the UK it should be gov.uk rather than org.uk.
https vs http: although it is not always a guarantee, you can check the "http" that appears at the beginning of the website address. If you are entering personal information, "https" serves as a form of encryption to protect your personal data, as opposed to "http".
3. Do not audit roles in the company.
To facilitate risk control within a company it is essential to restrict access to certain information according to the role of each one within the company.
The information that each member can access should be only that which is essential for the performance of his or her function.
4. Do not audit accesses and systems on a regular basis.
Maintaining accesses that we have, of the keys, is also an important aspect. It may be tedious, but it is a key pillar. We need to review employees' access to data, how they access it, and how often passwords are changed.
In addition, we must review the strength of these passwords.
Ex-employee password
The departure of a team member can be a sad thing after years of working together, with the confidence that these years bring. However, we must be strict about the procedure when an employee is no longer part of our company.
Your accounts and passwords must either be deregistered or changed. This will not only help prevent a pernicious information breach, but also in case your computer or passwords can be compromised, we will continue to be exposed to these dangers.
Periodic pentesting
How many times have you tried to verify the security of your accesses?
If the answer is never, you will be included in most of the members that make up the business fabric in Spain, auditing and trying to exploit the accesses to our networks is a key piece.
If we do not have enough experience to perform this type of testing we can hire an external expert to evaluate the security of our systems.
5. Do not update security systems/software
Software updates are often seen as tedious, cumbersome, and cumbersome. However, these usually bring improvements in the area of security, as the company that provides these updates detects new access failures. That is why it is essential to have the software updated to the latest stable version.
The same happens with the obsolescence of certain physical devices, we can find design flaws that have been improving over time that allowed important vulnerabilities that have been corrected in subsequent versions.
It is vital to try to update both hardware and software, not only to increase the protection of our information, but to be able to experience the performance improvements that such updates often provide.
6. Not training employees
There is no point in being aware of the risks and knowing what they are, if only a very small part of the company knows about these risks.
Training is not only good for the company, but also for the employees. It is often considered as an extra value that the company provides us.
7. Not knowing the risks of the information we handle
Network security is not 100% effective. Although we can greatly limit the risks, in matters of computer security we can never have the guarantee that our system is impenetrable.
It is essential from a strategic point of view to draw up the appropriate procedures in the event that such information is leaked.
To do this we must answer several questions:
What information has been exposed?
What is the value and nature of this information?
Do we know the extent of the impact of such filtering?
What plan to notify users according to the legal policies do we have?
How can we prevent this from happening again?
The 7 deadly sins of security