The threat posed by hackers is something no business can afford to take lightly. In today's environment, criminals are more organized and sophisticated than ever, and the costs of failure can be high. For instance, figures from IBM suggest that in 2021, the average cost of a data breach stood at $4.24 million - the highest figure in the 17 years the firm has been tracking this data.
Meanwhile, the UK government's latest Cyber Security Breaches Survey for 2022 indicates almost two in five businesses (39%) came under attack in the last 12 months, with a third of firms (31%) reporting that they experienced this on a weekly basis.
Yet despite the risks to both finances and reputation, a large number of enterprises still leave themselves vulnerable to attack by failing to take basic precautions. So what are some of the most common errors companies make, and what do you need to do to avoid these issues?
1. Not being up-to-date
One of the most common problems is firms continuing to run outdated applications. Failing to patch software to the latest versions leaves companies exposed to a range of exploits as new flaws come to light.
A good example of this is the Log4j zero-day vulnerability discovered towards the end of 2021. This was described by the UK's National Cyber Security Centre as "potentially the most severe computer vulnerability in years”, yet according to research by cloud security company Qualys, 30% of affected systems remained unpatched as of March 2022.
Having a clear plan in place for updating systems is therefore essential in order to eliminate this issue. This needs to be done on a regular basis, while experts must always be paying attention to security alerts and news to understand the latest threats.
2. Not having a plan in place
Another frequent issue is that firms simply assume they aren't at risk. Perhaps they believe they don't hold any sensitive data that would be valuable to hackers, or worth the effort. This results in them failing to prepare and having no clear idea of what their mitigation steps should be if they do fall victim.
For instance, ransomware attacks often target organizations that might be seen as 'low value', such as schools, colleges or local governments, precisely because they know they are likely to be poorly defended. Therefore, knowing what to do if the worst happens - from quarantining affected systems to reverting to backups - is vital.
3. Treating cyber security solely as an IT issue
A common attitude to security, especially from business units and the board level, is that it is an area that's solely the preserve of the IT team, and the chief information security officer in particular. However, it's actually something the entire business needs to focus on.
From HR and sales data containing personally-identifiable information, to trade secrets and intellectual property, every department needs to take responsibility for securing their systems.
If C-Suite employees can take the lead in encouraging good security practices - both in terms of the right technology and their own behavior - this will filter down to the rest of the business, embedding a culture of security into everything they do.
4. Not effectively training your employees
The vast majority of cyber attacks can be traced back to human error. In fact, figures from IBM suggest as many as 95% of attacks have this as a major contributing factor. Therefore, educating employees at all levels about best practices is vital.
This requires more than just a one-off lecture warning them what not to do. Training needs to be conducted frequently and followed up with tests and real-world simulations to ensure the message is sinking in.
5. Not employing tough access controls
Weak and easily-guessed passwords remain a primary cause of breaches, while phishing efforts often aim to harvest login credentials. To counter this, it's important you toughen up your access controls.
This means more than just requiring the use of complex, unique and frequently-changed passwords. Multi-factor authentication is a must-have for critical applications and servers to prevent the use of stolen login details, while monitoring software that can alert you to unusual behavior is also hugely useful.
6. Relying too heavily on AV tools
Finally, it's important to recognize that effective cyber security technology goes far beyond the latest antivirus software and a strong firewall. To ensure your company is kept safe, you need to take a defense in depth approach. Indeed, malware makes up less than 40% of attacks today, with threats such as fileless attacks a growing challenge.
Therefore, you need solutions that can protect every part of your network, from guarding the perimeter to monitoring within your systems for suspicious activity and keeping employee-owned mobile devices safe. It's only by having a complete picture, from technology to training, that you can truly minimize the risk of falling victims to hackers.