GAIN INSIGHT

NEWS

News
Color Block
Chris Ellingwood

The Top 10 Information Security Risks for 2015

2014-12-12

For our annual “Top 10 List of IT Security Risks,” we focus on the perimeter of your network and monitoring controls. Securing your systems and, more importantly, monitoring them for suspicious activity reduces your risk of breaches. Developing an enterprise-wide approach to data security, supported by management, is the best way to protect your business in 2015.

This year’s Top 10 security risks:

  1. Overreliance on security monitoring software: The good news is that many organizations are beginning to actively monitor their networks in response to all the data breaches in 2014. Third-party vendors offer Security Event and Incident Management (SEIM) software that you may purchase, install, and use to seemingly monitor the entire network with one tool. The bad news is that these tools require considerable customization and management to work effectively. Your network devices all need to be able to connect and communicate with the software. One tool may not do it all, so be careful of putting all your eggs in one basket. Mitigation strategy: Understand and use a diverse portfolio of monitoring tools.
  2. Inadequate system logging: Software and network devices allow for incident and event logging. However, people often do not enable the logging option. If enabled, the logs are frequently not saved or reviewed by management. Yes, logging can be a tedious process. When not configured correctly, logs can bog down your email inbox. Mitigation strategy: Consider third-party software that allows you to refine the logging process and alert your personnel to significant incidents and events. Combined with a well-managed SEIM tool (see caveat above), strong logging practices can help diversify your system defenses.
  3. Technology innovations that outpace security: Consumer demand for the latest and greatest software package often drives developers to take shortcuts, use outdated code, or not fully test new products in order to get the product to the market. This can result in software put into production before it has been sufficiently vetted against security vulnerabilities or system compatibility. Organizations that use the most recent version of a product should test it extensively before installing it into production systems. Mitigation strategy: Follow a “non-first adopter” policy and allow the software to prove itself for six months to a year before using the product. For organizations that develop software, we encourage you to keep a specific focus on security from the start of the development process.
  4. Outdated operating systems: Related to #3 above, older versions of software do eventually become unsupported by the vendor. Vulnerabilities may go unpatched, and they’re often the first spot hackers will focus on when trying to obtain access to your systems. One such vulnerability is the continued use of Windows XP. It went into unsupported status in April 2014, yet an unsettling number of businesses still rely on XP as their main workstation operating system. Similarly, Windows Server 2003 is scheduled to go into unsupported status starting July 2015; it is also heavily used in the business segment. Mitigation strategy: Track and plan for these major system changes to prevent systems from running unsupported software.
  5. Lack of encryption: The first line of defense for preventing unauthorized access to your data is to protect it while at rest and while in transit. Removable media (USB thumb drives, CDs, etc.) should not allow data to be placed on them without requiring the user to create an encrypted folder on the device or encrypt the entire device. Mitigation strategy: Use third-party software tools to aid with encryption. These tools can scan outbound emails for sensitive data and require the sender to use a secure file load site or to encrypt the data before transmission. Laptop hard drives should have hard-drive encryption that only unlocks the data after a user successfully logs into the device.
  6. Data on user-owned mobile devices: The battle between company-owned devices and user-owned devices will continue in 2015. Employees increasingly want to use their own mobile devices such as tablets and smart phones to gain access to your systems through the Internet. Mitigation strategy: Third-party applications allow for each user to have a “sandbox” of data (a secured segment of your organization’s information accessible to your mobile device), including email and files stored in a secure directory on your organization’s system. Employees should only be allowed to achieve access through usernames, passwords, and possibly two-factor authentication. If the mobile device is lost or stolen, your organizational data would remain sitting on your network and not the device, reducing the risk of lost or breached data.
  7. IT “diplomatic immunity” within your organization: We often see members of IT management and System Administrators who feel exempt from the system access requirements detailed within their organization’s policies (non-expiring passwords, for example). These IT employees may reason that they’re vetted. But these employees’ accounts may also have high levels of access and permissions, which makes them high-value targets for hackers. Mitigation strategy: Complete user reviews of accounts and settings at least twice per year. To run this review, use a member of the security or audit team, or another qualified person outside of IT, to help verify that all personnel comply with IT policies.
  8. Lack of management support: The values that create a strong security environment should come from management and be considered a part of the organization’s culture. Investing in IT security early on will reduce the costs to both your organization’s finances and reputation if a breach were to occur. Mitigation strategy: Educate and encourage members of management who understand the need to protect systems and are able to communicate that need throughout the organization.
  9. Challenges recruiting and retaining qualified IT staff: Finding and keeping qualified security professionals is becoming difficult with the increased demand for dedicated IT security departments within companies and organizations. We have seen aggressive recruiting by competing companies within the same geographic area. Heavy turnover in IT security diminishes an IT team’s effectiveness as new personnel must learn systems, organizational culture, and business processes to fully grasp the risks of the organization. Mitigation strategy: Focus on capabilities, training, and retention to reduce turnover and develop a strong IT security team.
  10. Segregation of duties: In accounting, the proper segregation of duties is a cornerstone concept. Our IT auditors see a strong need for the same concept to be embedded into IT departments. The umbrella IT security strategy and responsibility should not fall solely to a Systems Administrator or Chief Information Officer with many other duties and potentially conflicting interests. Mitigation strategy: Security should belong to a dedicated role, such as a Security Analyst or Chief Information Security Officer. In some situations, IT security is independent of the IT department and reports directly to a board or Chief Executive Officer, much as an internal audit department would do, to allow for independent assessments, objective monitoring of systems, and the ability to report without prejudice. For more on how this organizational principle can help protect you, read a related article on our website, “Why Your Organization Needs a C-Level Information Security Officer.”

If you would like help mitigating any of these IT security risks, contact BerryDunn’s IT assurance service experts. We wish you a safe, secure, and fraud-free new year!