30 Mar 2017

5 IT Security Mistakes That Businesses Often Make

Computing technologies are constantly changing. Securing IT systems in this environment is challenging, especially for small and midsize businesses. They often do not have the time or resources to keep up with technological changes, the latest security threats, and the best ways to mitigate those threats. As a result, they often slip up when it comes to IT security.

Here are five IT security mistakes that small and midsize businesses often make and how to avoid them:

1. Not Using Anti-Malware Software


With 600 million malicious programs in existence, not having anti-malware software installed on all the computers in a business is extremely risky. Anti-malware software provides an important line of defence against cyber attacks and is designed to stop malicious code from running on computers. While it won’t stop zero-day malware attacks (i.e., attacks involving brand new malicious programs), it will stop previously identified malware. Hackers often use existing malware because it saves them time and they know it’s effective on unprotected machines.

All anti-malware applications are not created equal, though. You should use one that detects different types of malware, including ransomware, spyware, and viruses. You also need to make sure that the anti-malware software is being updated regularly. Computers with missing anti-malware software updates are vulnerable to cyber attacks.

2. Having Bad Password Habits


Employees often have bad password habits, such as using weak passwords like “12345678”, “qwertyuiop”, and “starwars”. Cyber criminals can easily hack weak passwords using brute-force password-cracking tools. Employees also commonly use the same password (or variations of it) for several accounts. Hackers know that people reuse passwords, so once they obtain a password for one account, they will try it for other accounts.

In addition to using weak passwords for employee and service accounts, businesses often use the default passwords that network devices (e.g., routers, appliances) ship with. This is a dangerous practice, as hackers are familiar with these default passwords.

Educating everyone on how to create unique, strong passwords is one way to combat the password problem. However, due to the sheer number of passwords people need to remember, they might resort to their old habits or even start writing down passwords. For this reason, you might consider using a password manager designed for businesses. Another measure you can take is using two-step verification for accounts when possible.

3. Leaving Software and Firmware Unpatched


Security vulnerabilities are often discovered in software and firmware. In response, vendors typically release updates that fix the flaws. If the patches are not installed, cybercriminals can exploit the vulnerabilities to gain access to the software and firmware. Using that access, hackers can install malware or perform other malicious acts.

To avoid this situation, it is important that the IT team installs all the security patches that have been released for the software and firmware used by the business. This might seem like a tall order, but the consequences of not doing so are too serious to ignore.

Besides installing patches, the IT team needs to make sure that all applications are still supported by the vendors. Like any product, software programs have life cycles. When an application reaches the end of its lifecycle, the vendor will no longer issue any type of updates for it, including patches that fix newly discovered security vulnerabilities. Many cybercriminals keep track of when vendors stop supporting popular applications. Once the support has ended, they launch new cyberattacks that target those applications.

4. Neglecting to Secure Mobile Devices


Using mobile devices for work has advantages, regardless of whether those devices are company-provided or personal. Employees can access business emails, data, and applications at any time from almost anywhere. The flexibility and convenience often improve employee productivity.

Businesses are put at risk by mobile devices that are not properly secured. In 2016, the number of malware attacks against mobile devices rose sharply, and security researchers expect the number to continue to rise in 2017. Even worse, these devices are increasingly being used as entry points into businesses’ networks. Security experts predict that one in five employees will cause network breaches in 2017. Unknowingly, these employees will either upload malware from their mobile devices to their companies’ networks or expose network credentials when they log in from malicious Wi-Fi hotspots.

To prevent these types of problems, you need to make sure that your business has a comprehensive plan to secure your mobile devices. What it should cover depends on whether your employees use company-provided mobile devices, their own personal devices, or both.

5. Ignoring the Human Element in IT Security


Hackers take advantage of the fact that many companies ignore the human element in IT security. By tricking employees into divulging sensitive data, clicking dangerous links, and opening malicious attachments, cybercriminals can get past security systems and perform malicious acts. Untrained employees and phishing attacks are the top two causes of data leaks in companies, according to a 2016 report on IT security risks.

Your employees, however, do not have to be a weak spot. They can provide a formidable line of defence against cybercrime if you educate them about common security threats and teach them some basic skills, such as how to spot spear phishing emails.

Unfortunately, no amount of training will help combat insider attacks, which account for 7 percent of data leaks in companies. An effective way to address insider threats is to follow the principle of least privilege — that is, limiting employees’ access to the minimal level that will allow them to perform their job duties. Using access control tools is also effective.

The Next Step


The first step to avoiding them is knowing about the common security mistakes made by small and midsize businesses. The next step is to start taking measures to prevent them. You may have some protection in place already, such as anti-malware software installed. We can help you with the rest so that your IT systems stay secure.

Assign-IT is an authorised certification body for the UK Government backed security certifications, Cyber Essentials and IASME. If you would like to talk to us about your IT security, please call us on 01727 843888 or email us at