The global cost of cybercrime has risen to an average of $11 million USD per minute, or $190,000 per second. Approximately 60% of small and medium-sized businesses fail within six months of being the victim of a cyberattack. Hackers’ damages extend beyond financial losses to include reputational harm, downtime, productivity losses, reparation costs for customers whose data has been stolen, and much more.
At the same time the most damaging breaches are caused by common cybersecurity mistakes that companies and their employees make, therefore could have been avoided.
The 2021 Sophos Threat Report stated, “A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”
Here are five of the most common missteps when it comes to basic IT security best practices:
1. Ignoring the implementation of multi-factor authentication
According to IBM Security, credential theft has become the leading cause of data breaches worldwide. Because most company processes and data are now cloud-based, login credentials are the key to a variety of attacks on company networks. Not protecting your user logins with multi-factor authentication is a common mistake that puts businesses at a much higher risk of being hacked. MFA reduces fraudulent sign-in attempts by a staggering 99.9%.
2. Disregarding the use of shadow IT
Shadow IT is the use of cloud applications data by employees that has not been authorized to do that by the company. Shadow IT usage puts businesses at risk for several reasons, for instance: data may be used in a non-secure application, data hasn’t been included in company backup strategies, data could be lost if employee leaves, the app might not meet company compliance requirements.
Employees often use apps on their own to fill a gap in their workflow and are unaware of the risks involved. Cloud use policies that specify which applications can and cannot be used for work are critical.
3. Considering an antivirus only as a reliable cyber defense
No matter how small your company is, a simple antivirus application will not keep you safe. In fact, many of today’s threats do not even use a malicious file. Phishing emails will contain commands that are sent to legitimate PC systems that have not been flagged as a virus or malware. Phishing is also increasingly using links rather than file attachments to redirect users to malicious websites. Simple antivirus solutions will not detect these threats. You need to have a multi-layered strategy in place that includes next-gen anti-malware that uses AI and machine learning; next-gen firewall; email filtering, DNS filtering; automated application and cloud security policies, cloud access monitoring.
4. Ignoring device management implementation
Most companies around the world have employees who work remotely and intend to continue this way. However, device management for remote employee devices as well as business smartphones has not always been implemented. You are more likely to experience a data breach if you do not manage security or data access for all endpoints (company and employee-owned) in your organization. If you don’t already have one, it’s time to implement a device management application, such as Intune in Microsoft 365.
5. Absence of cybersecurity trainings for your team members
Human error is responsible for an astonishing 95% of cybersecurity breaches. Too many businesses do not invest in ongoing employee training, and as a result, users lack the skills required for a good cybersecurity culture. Employee IT security awareness training should take place regularly, not just once a year or during the onboarding process. The more you emphasize IT security, the better equipped your team will be to identify phishing attacks and adhere to proper data handling procedures.