This is Part Two of a three-part blog series on virtual security. Part One.
The average total cost of a data breach in the U.S. is $3.8 million, according to the 2015 Cost of Data Breach Study conducted by the respected Ponemon Institute.
The following security mistakes are frighteningly common – and could cost you dearly. Read on to find out what they are and what you can do next. Before it’s too late.
See Part One for security mistakes #1-3.
Security Mistake #4: Neglecting your active directory.
We shared this story in a recent edition of The Vault, but it bears repeating. A few years ago, an enterprise engaged Involta to perform a security assessment. As part of that assessment, one of our security specialists went into the company’s headquarters. In under an hour, with no special equipment, he had a list of 86% of the employees’ passwords.
Including the CEO’s.
The good news: The company recognized the need for stronger security and engaged Involta as a partner. Recently that company aced a third-party security audit.
The reason we were able to grab so many passwords with such ease? The company hadn’t configured their active directory. In your company’s active directory, there are hundreds of parameters you can configure in terms of directories, policies and privileges, but many are not set by default. Meaning that if you don’t configure your active directory, you might as well slap a “Welcome, hackers” sign on it.
Security Mistake #5: Trusting antivirus programs to protect you.
Now, regularly updated antivirus protection from a leading company is a solid defense strategy against malware. But those programs don’t protect you from zero-day exploits – malicious intrusions taking advantage of just-discovered vulnerabilities in programs or protocols. Also, most malware these days goes undetected. Security should be a layered approach, using a number of harmonious tools to secure your data.
Security Mistake #6: No one “owns” security.
When there’s a critical lack of focus on security in an organization, often it is because no one “owns” security.
If you’re an enterprise, you should have someone identified as your security leader. In most organizations, that’s a CSO or CISO, or sometimes a Director of Security.
Where that person reports is really important. Your security leader should not report to the same people that the implementers report to because it creates an inherent conflict of interest at the top of that chain. When we consult, we advise organizations to have the CSO report to the CEO.
Stay tuned for Part Three of our blog series on virtual security. In the meantime:
- Read this post: Full-Spectrum IT Security [CHECKLIST]
- Watch our Executive Briefing Series
- Check out Involta’s security services, including security assessments and managed security
Involta offers multifactor assessment services designed to test and strengthen your security, including security assessments and vulnerability scans.