Top 10 Lists of IT Security Risks for 2015

Top 10 Lists of IT Security Risks for 2015

 

 

Top 10 Lists of IT Security Risks for 2015 

Data breaches ruled the Business pages in 2014, exposing just how susceptible  Our data may actually be. I alone have been issued four new debit cards in eight  Months because of data breaches at local retailers and two widely known  National retailers. While I am pleased my bank helps to protect me from being  Liable for the stolen funds, it is becoming rather bothersome to update all my bill-Pay functions

Not all debit and credit cards are created equal when it comes to  

Fraud protection

This year’s Top 10 security risks:

 

Download Also:

• Planning and Schedule Free Templates 
• Over 500 Contract Templates Free Download  

Over-reliance on security monitoring software:   

The good news is that many organizations are beginning to actively monitor their networks in response to all the data breaches. Third-party vendors offer Security Event and Incident Management (SEIM) software that you may purchase, install, and use to seemingly monitor the entire network with one tool. The bad news is that these tools require considerable customization and management to work effectively. Your network devices all need to be able to connect and communicate with the software. One tool may not do it all, so be careful of putting all your eggs in one basket. Mitigation strategy: Understand and use a diverse portfolio of monitoring tools.  

1-Inadequate system logging:

Software and network devices allow for incident and event logging. However, people often do not enable the logging option. If enabled, the logs are frequently not saved or reviewed by management. Yes, logging can be a tedious process. When not configured correctly, logs can bog down your email inbox. Mitigation strategy: Consider third-party software that allows you to refine the logging process and alert your personnel to significant incidents and events. Combined with a well-managed SEIM tool, strong logging practices can help diversify your system defenses.

Technology innovations that outpace security:

Consumer demand for the latest and greatest software package often drives developers to take shortcuts, use outdated code, or not fully test new products in order to get the product to the market. This can result in software put into production before it has been sufficiently vetted against security vulnerabilities or system compatibility.  Organizations that use the most recent version of a product should test it extensively before installing it into production Systems.   Mitigation strategy: Follow a “non-first adopter” policy and allow the software to prove itself for six months to a year before using the product. For organizations that develop software, we encourage you to keep a specific focus on security from the start of the development process.

Outdated operating systems:

Older versions of software do eventually become unsupported by the vendor. Vulnerabilities may go unpatched, and they’re often the first spot hackers will focus on when trying to obtain access to your systems. One such vulnerability is the continued use of Windows XP. It went into unsupported status in April 2014, yet an unsettling number of businesses still rely on XP as their main workstation operating system. Similarly, Windows Server 2003 is scheduled to go into unsupported status starting July 2015; it is also heavily used in the business segment. 

Mitigation strategy:

Track and plan for these major system changes to prevent systems from running unsupported software.

Lack of encryption:

The first line of defense for preventing unauthorized access to your data is to protect it while at rest and while in transit. Removable media (USB thumb drives, CDs, etc.) should not allow data to be placed on them without requiring the user to create an encrypted folder on the device or encrypt the entire device. Mitigation strategy: Use third-party software tools to aid with encryption. These tools can scan outbound emails for sensitive data and require the sender to use a secure file load site or to encrypt the data before transmission. Laptop hard drives should have hard-drive encryption that only unlocks the data after a user successfully logs into the device.

Data on user-owned mobile devices:

The battle between company-owned devices and user-owned devices will continue in 2015. Employees increasingly want to use their own mobile devices such as tablets and smart phones to gain access to your systems through the Internet. Mitigation strategy: Third-party applications allow for each user to have a “sandbox” of data (a secured segment of your organization’s information accessible to your mobile device), including email and files stored in a secure directory on your organization’s system. Employees should only be allowed to achieve access through usernames, passwords, and possibly two-factor authentication. If the mobile device is lost or stolen, your organizational data would remain sitting on your network and not the device, reducing the risk of lost or breached data.

 

1-IT “diplomatic immunity” within your organization:

We often see members of IT management and System Administrators who feel exempt from the system access requirements detailed within their organization’s policies (non-expiring passwords, for example). These IT employees may reason that they’re vetted. But these employees’ accounts may also have high levels of access and permissions, which makes them high-value targets for hackers.   Mitigation strategy: Complete user reviews of accounts and settings at least twice per year. To run this review, use a member of the security or audit team, or another qualified person outside of IT, to help verify that all personnel comply with IT policies. 

1-Lack of management support:

The values that create a strong security environment should come from management and be considered a part of the organization’s culture. Investing in IT security early on will reduce the costs to both your organization’s finances and reputation if a breach were to occur.   Mitigation strategy: Educate and encourage members of management who understand the need to protect systems and are able to communicate that need throughout the organization.

1-Challenges recruiting and retaining qualified IT staff:  

Finding and keeping qualified security professionals is becoming difficult with the increased demand for dedicated IT security departments within companies and organizations. We have seen aggressive recruiting by competing companies within the same geographic area. Heavy turnover in IT security diminishes an IT team’s effectiveness, as new personnel must learn systems, organizational culture, and business processes to fully grasp the risks of the organization.   Mitigation strategy: Focus on capabilities, training, and retention to reduce turnover and develop a strong IT security team.

Segregation of duties:

In accounting, the proper segregation of duties is a cornerstone concept. Our IT auditors see a strong need for the same concept to be embedded into IT departments. The umbrella IT security strategy and responsibility should not fall solely to a Systems Administrator or Chief Information Officer with many other duties and potentially conflicting interests.   Mitigation strategy: Security should belong to a dedicated role, such as a Security Analyst or Chief Information Security Officer. 

 

Related Topics:

• Why is Project Risk Management Important? 
• Importance of Risk Management Plan for Project 
• How to Write a Third-Party Risk Management (TPRM) Policy for Your Organization 

In some situations, IT security is independent of the IT department and reports directly to a board or Chief Executive Officer, much as an internal audit department would do, to allow for independent assessments, objective monitoring of systems, and the ability to report without prejudice. For more on how this organizational principle can help protect you, read a related article on our website

The Author: Ala'a Elbeheri

 

About:

A versatile and highly accomplished senior certified IT risk management Advisor and Senior IT Lead Auditor with over 20 years of progressive experience in all domains of ICT.  

 

• Program and portfolio management, complex project management, and service delivery, and client relationship management.      

• Capable of providing invaluable information while making key strategic decisions and spearheading customer-centric projects in IT/ICT in diverse sectors.    

• Displays strong business and commercial acumen and delivers cost-effective solutions contributing to financial and operational business growth in international working environments.      

• Fluent in oral and written English, German, and Arabic with an Professional knowledge of French.  

• Energetic and dynamic relishes challenges and demonstrates in-depth analytical and strategic ability to facilitate operational and procedural planning.  

• Fully conversant with industry standards, with a consistent track record in delivering cost-effective strategic solutions.    

• Strong people skills, with proven ability to build successful, cohesive teams and interact well with individuals across all levels of the business. Committed to promoting the ongoing development of IT skills  throughout an organization.