Practices Such as Two-Factor Authentication, Pen Testing & Employee Education Shouldn’t Be Neglected
By Kent Woodruff
According to Verizon’s 2016 Data Breach Investigations Report, in 81.9 percent of security breach incidents, the victim’s network was compromised in mere minutes. Yet IT teams continue to struggle to gain buy-in for security measures, articulate what’s at stake, or even explain exactly how quickly hackers can breach the network.
Recently we hosted a webinar on 10 best practices for network security. We discussed how easy it is for hackers to exploit certain vulnerabilities, and how a handful of best practices can significantly reduce your enterprise’s risk of experiencing a catastrophic network breach. Here are three of best practices that enterprises often neglect, and why:
Two-factor authentication is perhaps the most neglected security measure, despite being one of the simplest and most cost-effective.
Two-factor authentication requires two identifiers for employees to log in to a specific application or account. For example, an employee must enter a permanent password, along with a one-time numerical code texted to her mobile device. To log in to a specific application, she not only has to know the password, but also must have access to the mobile device to see the code. Unauthorized users hacking into the network from thousands of miles away have no way to log in, even if they have the password or a keystroke tracker.
Two-factor authentication becomes increasingly important as enterprises adopt cloud applications. When information can be accessed anywhere, it’s critical to ensure it can only be accessed by specific people.
Some enterprises can afford to build their own cloud applications, and should certainly require two-factor authentication in those cases. For companies that utilize public cloud apps, such as Google Apps, Salesforce, Dropbox, or the like, I recommend researching which applications offer two-factor authentication (among other important security measures) using the Cloud Security Alliance’s STAR database.
Why it’s Neglected:
Some companies are hesitant to create a two-factor authentication policy for enterprise applications because it creates an extra step. The phrase “lost productivity” might be invoked in a discussion about effects on business operations. However, citing the extra step as a productivity killer tends to be a short-sighted take on the matter. How productive can your employees be if the network gets taken down by hackers? How much will revenue suffer if employee or customer data is compromised? What will the implications be if trade secrets are stolen?
If you watch “Silicon Valley,” you’ve probably seen the episode where the character Gilfoyle needs to destroy a hard drive containing company secrets that was accidentally sold to an elderly man. He visits the man’s house and convinces him that he’s here to set up his newly purchased computer. Gilfoyle doesn’t have a Geek Squad uniform on, but he bypasses the man’s objections with a wacky excuse and quickly proceeds to run a drill through the man’s computer.
This tongue-in-cheek comedy actually points to a real-world security problem: Non-IT staff can be tricked or intimidated into allowing malicious individuals access to the network.
Why it’s Neglected:
Many IT teams focus on the technical aspects of hacking, forgetting that social engineering remains one of the easiest ways for hackers to breach the network.
This is particularly dangerous for distributed enterprises that don’t have regular, on-site IT. A front-line employee who doesn’t interact with IT on a daily basis might think the person in the network closet is installing a firmware upgrade, but maybe it’s a hacker plugging a “drop box” into an Ethernet port and stealing the company’s data. The person calling on the phone sounds real enough, right?
Social engineering continues to be one of the most effective ways for hackers to gain network access. In response, vigilance is vital. We need to create identification and physical access policies, teach employees to recognize phishing attempts, and train them to report anything that seems unusual or goes against policy.
I highly recommend that enterprises invest in regular penetration testing. This is the practice of hiring a white-hat hacker to attempt to breach your systems and provide data and actionable recommendations for shoring up your security. The penetration tester may conduct a phishing attack or hack a poorly secured device on the network, with a goal to see if he or she can gain access to critical data and infrastructure.
While your IT team may be fully aware of some of your network’s vulnerabilities, these highly trained hackers bring a different perspective and skill set to the table. The data they provide can be invaluable.
Why it’s Neglected:
There are a number of reasons that some enterprises don’t do regular penetration testing. One factor is the expense. Generally, these professionals are well-paid, and depending on the size of the enterprise, a full penetration test can take quite a few weeks. However, I’d argue that a security breach has the potential to be much more costly. Consider the downtime, compromised data, potential fines, and brand reputation harm that could ensue.
Some IT teams fear that a penetration test will reflect poorly on them, or that they need to fix the issues they already know about before digging up more problems. The truth is that a security breach looks much worse — and has real consequences. Additionally, the data obtained from a penetration test can help you determine where to focus your efforts and which vulnerabilities present the greatest risk.
Network security is complex, ever-changing, and almost impossible to get right 100 percent of the time. In contrast, a hacker only has to be right once to breach a network. So how can enterprises decide where to prioritize their efforts?
On-Demand Webinar on ‘Best Practices for Mitigating Network Security Risks’
To learn more about some of the best practices for mitigating network security risks, watch our on-demand webinar.