In 2023, a seemingly routine phone call to the MGM Resorts Help Desk swiftly escalated into a cybersecurity crisis. Within a mere 10 minutes, attackers gained sufficient access to disrupt the entire operations of the resort and casino. This incident left the colossal $34 billion organization grappling in the dark for days.
The realm of cybersecurity is intricate, demanding not only highly skilled professionals but also cutting-edge technologies, along with extensive planning and strategic foresight. Given the complexity and resource demands, it’s hardly surprising that numerous companies, for a variety of reasons, fall short in adhering to some of the cybersecurity best practices.
To shed light on common pitfalls, here are the top 10 mistakes organizations frequently make in the domain of cybersecurity.
Neglecting Human Risk Management
In the realm of cybersecurity, one of the most overlooked aspects is the management of human risk, particularly the neglect to provide comprehensive security awareness training and phishing simulations. As the frontline defenders against cyber threats, employees can inadvertently become a major vulnerability without proper training and awareness.
Recent statistics from 2022-2024 emphasize the growing importance of human risk management. According to a 2023 study by Cybersecurity Insiders, human errors contributed to approximately 90% of cyber data breaches, highlighting the critical need for effective human risk management strategies. Additionally, the 2024 Internet Security Report by Symantec noted a 40% increase in incidents involving phishing, confirming that human-targeted attacks remain a predominant threat in the cyber landscape.
The impact of inadequate human risk management is evident in the scale and frequency of cyber incidents. For example, a report by Kaspersky in 2024 revealed that companies with insufficient employee cybersecurity training faced an average of 30% more security breaches compared to those with robust training programs. Moreover, IBM’s Cost of a Data Breach Report 2023 indicated that organizations investing in human risk management and awareness training reduced the cost of data breaches by an average of $3.5 million.
In conclusion, managing human risk through continuous and effective employee training is indispensable in the cybersecurity strategy of any organization. As the threat landscape evolves, the emphasis on equipping employees with the knowledge and tools to combat these threats becomes increasingly vital. By investing in human risk management, companies enhance their security posture and significantly reduce the potential financial impacts of cyber incidents.
Poor Password management
Weak or reused passwords pose a significant security risk, as demonstrated by the 2018 cyberattack on Reddit. In this breach, hackers gained access to sensitive user data, a situation exacerbated by the use of weak and recycled passwords across multiple accounts. This incident serves as a stark reminder of the vulnerabilities that can arise from inadequate password practices.
The Reddit breach, specifically, brought to light the dangers associated with not just weak passwords but also the habit of password reuse. When users employ the same password across different platforms, a breach in one system can easily lead to a domino effect, compromising multiple accounts. This risk is amplified by the widespread use of automated tools by cybercriminals, which can rapidly test known passwords against various accounts.
This incident underscores the need for strong, unique passwords for each online account. Companies are advised to enforce strict password policies, educate users about the risks of password reuse, and encourage the use of password managers to generate and store complex, unique passwords. By addressing the fundamental issue of weak and reused passwords, organizations can significantly enhance their resilience against data breaches and unauthorized access.
Ignoring software patches
Regular software updates and patch management are crucial elements in maintaining cybersecurity. Neglecting these can leave systems dangerously exposed to cyber threats. In 2017, Equifax suffered one of the biggest data breaches in history. It was attributed to an unpatched vulnerability in a web application, exploited to access a vast amount of sensitive data.
The Equifax breach underscores the importance of regular software maintenance in safeguarding digital assets. Vulnerabilities in software can be identified and exploited by cybercriminals, making systems that run on outdated software prime targets for attacks. Therefore, organizations must establish a rigorous process for regularly updating and patching their software systems.
Inadequate Network Security
Insufficient network security measures can expose companies to cyberattacks. A notable example is the 2014 JPMorgan Chase data breach, where hackers exploited an overlooked server to access the data of over 83 million customers. Robust network security protocols are essential.
Overlook Inside Threats
Insider threats, often overlooked in cybersecurity, can be as harmful as external attacks. The 2016 Sage data breach, caused by an employee misusing their access, exemplifies the dangers of internal risks.
These threats, ranging from intentional sabotage to accidental data leaks, arise from individuals with inside access. To counter them, companies need to enforce strict access control, monitor activities, conduct regular audits, and continually train employees in security practices.
Inadequate Data Encryption
Failing to encrypt sensitive data can lead to disastrous consequences. The 2019 Capital One data breach, where a hacker accessed over 100 million customers’ data, was partly due to a misconfigured firewall and unencrypted data.
Ignore compliance regulations
Non-compliance with data protection regulations like GDPR can lead to significant legal repercussions and hefty fines for companies. Several high-profile cases illustrate this:
Meta: In 2023, Meta (formerly Facebook) faced a monumental fine of $1.3 billion USD. The Irish court ruled that Meta violated GDPR laws pertaining to data transfers between the EU and the US. This fine was primarily due to Meta transferring personal data of European users to the United States without adequate data protection mechanisms. This fine stands as the biggest GDPR fine to date.
Amazon: In 2021, Amazon was fined €746 million by Luxembourg’s National Commission for Data Protection. The fine was levied after it was established that Amazon was not obtaining user consent before storing advertisement cookies.
Inadequate physical security
Sometimes, being so worried about virtual breaches makes companies forget the importance of physical security breaches. One notable example is the case of a break-in by burglars due to vulnerabilities in a company’s security system. Such incidents can occur when sophisticated criminals, familiar with a company’s protective measures and daily operations, exploit gaps between detection and response mechanisms.
Another common physical security breach involves former employees using their credentials to access company facilities, a situation that arises when their access rights are not terminated promptly after leaving the organization.
In addition to these, there are instances where office theft extends beyond just physical assets. Data leakage, involving the loss of sensitive information, credit card details, or intellectual property, can result from such physical intrusions. Both former employees and external cybercriminals can be responsible for such data thefts, particularly when valuable information is not adequately protected.
Lack of security audits
Finally, the absence of regular security audits can leave companies blind to emerging threats and vulnerabilities. Regular audits and assessments are critical to maintain a robust cybersecurity posture.
In conclusion, cybersecurity is a multifaceted challenge that requires a comprehensive approach. By acknowledging and addressing these common mistakes, companies can significantly bolster their defenses against cyber threats.
Also, as we covered on item #1, there’s a huge danger of human risk, and that’s why we offer solutions to empower your employees to identify and respond swiftly to potential threats through our Human Risk Management platform.
Talk to us today and get rid of burdensome security alerts generated by employees.