What’s the biggest single threat to company cybersecurity? According to the Sophos 2021 Threat Report, it’s poor cybersecurity practices by organizations. 

The report, which looked at multiple cyberattacks that happened in 2020, stated, “A lack of attention to one or more aspects of basic security hygiene has been found to be the root cause of many of the most damaging attacks we’ve investigated.”

This underscores the fact that many data breaches and ransomware infections are preventable with proper data and network security practices. 

Is your business at risk because of poor cybersecurity hygiene? Here are ten of the worst practices that often result in costly repercussions. 

1. Holding Onto Software/OS Versions Past End-of-Life Date

As of November 2021, there were still about 13% of global Windows users running Windows 7. This is an operating system that reached end-of-life and lost security update support nearly two years ago (in January of 2020).

Older software and operating systems that no longer receive vital security updates are sitting ducks for a hacker to launch an exploit. Exploits are malicious code that takes advantage of a software vulnerability to gain access and launch an attack.

It’s important to upgrade well before a software or OS reaches the end of life. And for those of you wondering when you should upgrade to Windows 11… Windows 10 reaches end-of-life in less than four years, in October 2025.

2. Using Only Single-Factor Authentication for System Admin Accounts

Single-factor authentication means that your company accounts are still being protected only by a username/password login. When you don’t use multi-factor authentication (MFA), your cloud accounts, especially of administrators that can access more settings, are at risk of an account takeover.

If you don’t want to implement MFA companywide, at the very least, implement it for accounts that hold more sensitive data and for your system and cloud platform administrators.

3. Leaving IoT Devices with Default Login Credentials

IoT devices like routers, smart door locks, voice speakers, and automated sensors are growing in offices around the world. Many companies make the mistake of leaving these with the default login credentials instead of changing them immediately.

Hackers have a list of all the default logins for multiple IoT devices. Changing the default login details should be one of the first things done during the initial setup of the device 

4. Not Using Email Filtering & Security Policies

In the past year, 73% of surveyed companies suffered a data breach due to a phishing attack. Phishing continues to get more sophisticated all the time as well as more personalized. This makes it harder for users to detect a fake email from a real one.

Email filtering acts as an automated gatekeeper that can keep a majority of dangerous phishing emails out of employee inboxes, significantly reducing your risk of a breach or malware infection.

5. Having No Mobile Device Management Software

Mobile devices now make up about 60% of all endpoints in an organization, yet many companies don’t manage them or monitor mobile device access to company assets and cloud accounts.

Mobile devices are just as susceptible to malware that can spread throughout a network as PCs, and often they have access to the same company data through business cloud apps.

Not having a mobile device management strategy in place is just asking for some type of smartphone-related data security incident.

6. Poor Password Security

Credential compromise is now the #1 cause of data breaches globally, according to IBM’s most recent Cost of a Data Breach report. Companies often leave passwords up to their users to create and manage on their own, and this can lead to poor password habits. These include:

• Weak passwords
• Passwords that are too short
• Sharing passwords
• Using the same password for multiple accounts
• Storing passwords in an unsecured manner

7. Leaving Cloud Platforms at Default Security Settings

Misconfiguration, which includes not adding adequate security controls, is one of the main causes of cloud account breaches. It’s important to work with an IT professional, like GEEK911, to have your cloud platforms (Microsoft 365, Google Workspace, Salesforce, etc.) properly configured.

8. Not Having a Disaster Recovery & Business Continuity Plan

Many small businesses pay tens of thousands of dollars more than needed in the case of a data breach because they were unprepared. Not having a disaster recovery and business continuity plan, and practicing that plan, is like having no business liability insurance or driving with no car insurance.

9. Failing to Automate Security Patches & Updates

Unpatched system vulnerabilities are a leading cause of data breaches. Companies that fail to automate security patches and updates for all their devices, often leave themselves wide open to an attack.

One of the best ways to ensure all your updates are being taken care of in a timely and professional manner is to sign up for managed IT services, as this is a core service provided with these plans.

10. Only Training Employees on Cybersecurity Once a Year

Over 31% of untrained employees will fail a phishing detection test. Training your employees once a year isn’t enough to hone their skills and keep them sharp.

Use different forms of training (videos, newsletter reminders, team meetings) throughout the year to keep cybersecurity top of mind for your team.

Start Your Year Off More Secure With a Cybersecurity Audit 

Is your Silicon Valley business suffering from some of these poor practices? GEEK911 can do an IT security audit so you’re not left in the dark and vulnerable and can address any weaknesses in your cybersecurity strategy.

Schedule a consultation by calling 1-866-433-5411 or reach us online.