General Data Protection Regulation (GDPR) will come into effect from May 2018 in the UK. From then on, organisations that suffer security breaches will have 72 hours to notify their local data authority once they have discovered it. This will require staff at organisations to have a better understanding of data breaches and how to spot them.
Weak user credentials
A common misconception among users is that choosing a weak password will only negatively impact them and nobody else on the network. However, weak passwords can often prove to be an attractive entry point for an opportunist hacker. Systems administrators should send out password reset reminders regularly and encourage staff to use strong passwords, that they have not used for any other systems. If you let employees choose/amend their passwords, do not allow them to create passwords that contain their first name, surname or date of birth and make it mandatory for them to include a mixture of letters, numbers and symbols.
Remember, not everyone in an organisation will be tech savvy, and they may not realise the risk they are creating by storing such information in ‘memorable’ places (such as post-it notes that get passed around the office, or Notepad files titled ‘passwords’ that get shared via email…). Provide a safe database for employees to store passwords in to eliminate the need for them to use unsafe alternatives.
Lost or stolen devices
With more organisations adopting remote working, whether that be entirely or partially, it can be incredibly challenging for the IT department to keep an accurate record of the different devices accessing the network and systems remotely.
Organisations should implement a bring your own device (BYOD) policy, in which they outline the rules for employees who use company systems on their mobile devices. For example, IT staff may need permissions to access certain apps on an employee’s phone. They may also need to wipe data from certain apps in the event of device theft or loss to prevent such information from falling into the wrong hands. This needs to be communicated to employees who adopt BYOD before implementing.
Using outdated operating systems
One of the most common security risks occurs when organisations continue to use software that has been discontinued by the vendor. For instance, Microsoft ended support for Windows XP in 2014, yet many organisations continued to use the software. This poses a huge security risk as Microsoft no longer issues updates, including security ones, for the software.
Organisations should upgrade their software to a supported version as soon as a vendor announces that support will be discontinued.
Poor user education
Even the most robust security software can’t provide 100% protection from a security breach. Improving employee education on matters of IT security, however, can help. If an employee is not aware of the latest phishing email scams, they may open an email and click a link or download an attachment that installs malware or viruses onto the user’s computer and compromises the entire network.
IT staff should encourage an environment in which they share news of the latest security scams and educate employees on how to spot and avoid them.
SQL injections, which capitalise on the code vulnerabilities of a database, are one of the most common and dangerous types of security risks to an organisation. If the hacker executes one correctly, they can gain access to an organisation’s entire database, and if they retrieve super admin access, they have the freedom to modify and delete information.
Using parameterised queries and limiting user permissions are easy methods of reducing vulnerability.
One of the best ways to prevent against different types of vulnerabilities is to carry out regular security audits. This helps IT staff to identify areas of vulnerability within an organisation and take action to prevent a breach before it happens.
King of Servers sells a range of network security products, including firewalls, to help organisations protect their data and prepare for GDPR.
By Albie Attias, managing director of IT hardware supplier King of Servers,
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.