It seems that even with all the examples of breaches and compromises caused by the lack of company security across the last two decades, organizations continue to move forward with a “same as it ever was” mentality. Organizations aren’t learning from others’ mistakes.
I predict that in 2016, hackers will continue to compromise organizations’ systems in ways that could have been prevented with common sense security solutions or by stress-testing their own implementations.
Here are seven obvious, but often forgotten, security measures you should have in place:
- Don’t leave default configurations, settings, or other account credentials on your computer or other device.
- Update to the most current product versions and patches.
Testing should always be performed to ensure productivity and functionality, but staying on older versions is usually less secure.
- Separate different categories of data into different storage containers.
For example, a customer’s billing data should be separate from their login credentials, which should also be separate from their profile settings, preferences and activity history.
- Encrypt stored user data and provide communication encryption.
- Log all activity and events, including system events, software activities and user activities.
- Separate OS files from data storage on distinct storage devices.
- Secure your website against injection attacks, including Structured Query Language (SQL) injection.
To do this, filter input against length requirements while pattern matching against a known list of malicious signatures, and escaping metacharacters. Metacharacters are characters assigned a special meaning by a programming language or execution environment.
These and other standard security concepts are well established, but not as widely adopted as they should be. As new organizations come online, expand their Internet presence, or roll out new products, they often make the same security mistakes as many others did before them.
As consumers, we’ve become created a lax security culture. We have established the trend that we will purchase new products in spite of flaws and failures. Often the early adopters of a new product are more like beta testers than typical consumers, willing to live with and work around problems just for the sake of getting the new thing in their hands. But that doesn’t mean we have to continue to be willing beta testers.
We should only purchase products and use services that have a strong proven track record when it comes to security. One way encourage better products on the market, and deter hackers, is to push for more transparency. Organizations should publish their security standards, thus allowing us to review their practices and make informed decisions about who is doing the better job at protecting our information. This idea is already established in the digital certificate marketplace through a certificate authority’s publication of its certificate practices statements (CPS). A similar strategy or publishing security practices should be applied across most or all of IT-related industries. Perhaps if we, as consumers, demand transparency and stronger security features from our vendors and suppliers, maybe 2016 will be the year that cybersecurity takes a huge leap forward.