How to identify any security vulnerabilities your business may have
When you protect your home from theft, you probably think about all the points of weakness. For example, good locks for your doors, keeping windows closed when you’re out and installing an alarm.
It’s the same for digital security. It’s harder to see what you’re protecting, but your digital assets are a significant part of your business. If they’re attacked, it can be time consuming and costly to get them reinstated.
This guide looks at the different types of security vulnerabilities that can affect your business. Find out how to protect your systems against cyber security threats and attacks.
What are security vulnerabilities and why are they important?
Security vulnerabilities are weaknesses in your digital systems. These vulnerabilities leave you open to attack. If found, your company could become a target for things like fraud.
For more information about digital crimes, read our guide on common types of cyber fraud and how to detect them.
There are many types of security vulnerabilities. These range from software problems to simple human error. It’s vital that businesses know where these vulnerabilities lie and what checks to make. That way, you can keep your systems secure.
Common digital vulnerabilities
Often, the most common security vulnerabilities are everyday actions. These can be avoided with the right processes in place.
Weak passwords are one of the simplest ways to let cyber criminals into your business. Too often, people use passwords that are easy to guess, like their name or “password”.
Alternatively, they may use the same password across multiple different accounts. This could include personal accounts like social media and their work email accounts. This makes them an easy target for hackers and puts your company’s sensitive data at risk.
Hardware and software issues
Hardware weaknesses include outdated hardware and deterioration of the product and its performance. This can lead to unauthorised access and attacks directly through the hardware.
Updating systems is something that many businesses overlook. Avast found that around 55 per cent of software installed on PCs is an older version of the application.
So why is this a problem? If software isn’t well maintained, it can cause bugs and incompatibility issues. It can also mean that you miss out on vital security updates.
These security updates provide patches for known vulnerabilities. Cyber criminals will look for those vulnerabilities; failing to install the updates leaves you exposed.
Do your employees use public WiFi points to log into company laptops? Or personal devices to log into work accounts away from work? If so, they could be putting your data at risk in many ways:
- Many public WiFi networks are unencrypted. This means that the information sent between the device and the wireless router is easier to access
- An attacker can place themself between the device and the connection spot. That helps them eavesdrop on your information
- Malware can be added onto your device without you realising
- Attackers can set up rogue WiFi hotspots that sound like the public place you’re visiting. Once you log on, they can access your information
The files that your business deals with on a daily basis contain lots of sensitive information. This might include financial information in spreadsheets and your team’s personal details.
Ask yourself if your company is storing files safely. Are you aware of how files are being used and shared?
Most file sharing online is vulnerable to security risks. For example:
- Files on a shared network may be accessed by people without the proper authority
- Files sent by email and downloaded may contain an attached malicious virus
- There’s always the risk of emailing files to the wrong person. This can result in data going to the wrong hands
“We use Google Drive and Sheets, and we have third party software companies like Oracle who do our email. We’ve got to be really careful with GDPR because we handle a lot of data. We’re also looking at insurance companies that cover ransomware attacks, so that’s on my list at the moment.”
John Owen, co-founder of Masterclassing
Human vulnerabilities or “insider threats”
It’s common for businesses to focus on external threats. With cyber security, it’s no different. But don’t forget that there are also internal threats.
Think about all the people that have access to your company’s systems. There are current and past employees, for starters. But there are also contractors, partners and associates.
It’s incredibly easy to give someone access for a meeting or project. But do you always remember to revoke that access?
Leaving your files and systems exposed is a huge scale problem. And, like most insider threats, it comes down to simple human error.
Types of insider threats
Most insider threats aren’t malicious. Research by the Ponemon Institute suggests that 63 per cent of insider threats are the result of negligence.
Here are common threats caused by human error:
- Accessing work files and systems in insecure environments. This could include home working or working in a public space like a cafe
- Being negligent with devices or data. For example, you might be working in a public place where someone could look over your shoulder. In a worst case scenario, the devices may be lost or stolen
- Employees talking about work or sensitive information in a public place
- Employees having access to data and systems that they don’t need
- Past employees holding sensitive information. For example, confidential log-in details
In rare cases, insider threats may be hostile. This is where staff want to take advantage of the information they hold.
Common examples of these kind of insider threats include:
- Disabling security tools
- Allow outsiders access to the system
- Sharing confidential data with competitors
- Selling your business information for financial gain
How to reduce threats in the workplace
It’s important to build a culture of digital awareness in your workplace.
Staff need to know that cyber security is everyone’s responsibility. While human error happens, training and awareness campaigns can help to reduce it.
It's also good practice to implement some tools to reduce threats.
Manage staff permissions
What accounts do your employees have access to? Is the access necessary? Often, staff have automatic access to data and accounts that they never use.
Start with an audit of who has what privileges in your business. One recommendation is to give employees the minimum privileges necessary. Review this on a regular basis to see if they need more or less access as their roles change.
It’s also crucial to consider access when staff leave. Make this review part of your exit procedure. Disable their access to ensure that saved passwords are no longer active.
Make sure personal devices are well managed
With the increase in home working, it’s very common for staff to work on different devices. This can be great for offering staff a more flexible work/life balance. But it also brings several security risks.
Your best bet is to introduce a company-wide device management policy. This might include:
- Installing end-point security software on all personal devices
- Providing a Virtual Private Network (VPN)
- Providing a separate WiFi network for personal devices in the working environment
Monitor unusual activity
Read our guide on how to detect common types of cyber fraud. It provides guidance on how to put strong network security solutions into place.
Set a baseline of normal activity. You want to be able to flag up any unusual behaviour and look into it straight away.
Make sure passwords are well managed
A simple way to manage passwords is to install password management software. This generates strong passwords. They are unique to each account and stored in an encrypted environment.
Another technique is to use multi-factor authentication. For this, you need an extra verification step to access business accounts. This is usually a passcode sent to a mobile device.
It means that even if attackers guess a password, they still can’t access the account.
Train your staff
Training staff is the best way to build a culture of cyber security awareness.
Cover all the basics, including password management and data protection. Remember to use language that everyone understands. If training goes over people’s heads, they’ll stick to their old routines.
You’ll also need to include this training in your onboarding process. That way, new starters know that cyber security matters from day one.
“Don’t imagine everything is fixed by adding shiny technology. You need to help your staff to be better at recognising these sorts of attacks by training them and making them resilient.”
John Williams, MD at Northstar