This is perhaps the most exciting time ever to work in IT. Transformative technologies abound, and companies large and small are harnessing the power of SaaS applications, cloud infrastructure, big data, and more to help their organizations reduce costs and gain a competitive advantage. However, there are also some risks that range from simple and common to sophisticated and complex.
Here are some of the top ones to think about for this year and beyond:
Privileged User Access
Who holds the keys to your kingdom? Many organizations have granted administrative privileges to certain users simply because they were the ones closest to the technology at the time. Over time, those applications and infrastructure have become more mission critical, while the same people have maintained access for the same vague reasons. This is a problem for several reasons. First, the individuals may not have the expertise to securely operate that technology. Second, they might not need to know the HIPAA-protected or otherwise regulated data controlled by those applications. Third, while we like to believe that everyone employed by our companies has a high level of integrity, news stories about insider hacking crimes are on the rise. In a recent survey, 91% of IT leaders said they expected insider threats to remain steady or increase.
As employees, customers, and others have become accustomed to being able to “Bring Your Own Device” (BYOD), organizations and IT leaders have realized both cost-saving benefits and security challenges. Our blog post, What Is BYOD? Is This A Policy Your Should Consider? offers many suggestions to help you minimize this risk.
Backdoors to Cloud
Today, nearly every organization depends on servers, systems, and applications that exist outside the walls of its facilities. Choose your third-party partners and solutions carefully to ensure that their security standards are as high as your own. You can protect your portals by running a vulnerability scan to reveal the various back doors that could leave your data at risk.
It is human nature, and still surprisingly common, for employees to choose simple, common or easy-to-guess passwords. Train your non-technical staff to understand the reasons for strong passwords, and review passwords frequently to ensure that critical data and systems are being adequately protected.
Too many businesses are operating with insufficient systems and policies in place to ensure comprehensive backups. This leaves them vulnerable to data loss through equipment failure, theft, ransomware, and other threats.
Does your company have adequate systems and processes in place to ensure that it meets all of its regulatory obligations no matter what? Is your system too dependent on individual employees or devices? Healthcare and banking organizations are well aware of the industry-specific regulations they must meet to protect consumer information, and most businesses may be subject to litigation discovery at some point. Therefore, it is important to make compliance audits part of your organization’s regular operations in order to discover and remedy issues before outside auditors or regulators have to.
This is a different kind of hidden IT threat, but one that costs organizations many millions per year. Although most companies have expressed a desire to be as paperless as possible, there is still a lot of printing going on. Costs for printers, paper, toner, maintenance, labor, storage, and other expenses related to printing continue to be a drag on the bottom line.
Defunct Devices & Accounts
Do you have users in your systems that are no longer with your organization? These ghost users can leave open doorways that can allow intruders into your system. By scanning for inactive users regularly and maintaining a systematic approach to securing and eliminating obsolete devices, you can help keep your applications and data safe.
Continuity & Disaster Planning
If your primary systems go down, are you prepared to maintain operations? What would be the cost if the answer is no? It is important for every business, from the smallest small to mid-sized business to the largest enterprise, to maintain adequate redundancy and backups.
Taking IT for Granted
Many business leaders want to remain focused on delivering value for customers and stakeholders, rather than on IT. That is natural, and a good Managed Service Provider (MSP), like Vology, can help make some technology functions as carefree as electricity and other utilities. However, a company that doesn’t fully understand the state of its own technologies, the potential threats from malicious attacks, equipment failure, or the disruption and legal consequences that could occur is being shortsighted. It is up to the CIO to ensure that the rest of the senior management team and stakeholders have the knowledge they need.
Web & Cloud technology threats
- Outdated Java and ActiveX controls, essential to many valuable web applications, are common targets for cyber attacks.
- Zero-Day Browser Exploits remain a relatively inexpensive way for hackers to do significant damage to your organization.
- Unnecessary Attack Surface in your organization caused by outdated or unused programs create hidden vulnerabilities.
- Web Applications being used within your organization, along with their interdependencies, are rarely fully understood. By collecting browser usage stats and, in particular, evaluating the Java, ActiveX and SaaS services, IT leaders could understand and mitigate risks. However, such an inventory would be prohibitively expensive and time-consuming, and the results would be obsolete soon after completion.
- Unnecessary Hardware and Services, when eliminated, can save organizations up to 20% according to a Gartner study. Again, this would require understanding of browser usage data. But with cloud services representing up to 80% of IT budgets moving forward, it is worth carefully pruning out unused or redundant services and unnecessary licenses.