The 2018 Netwrix IT Risks Report explores how organizations are working to ensure compliance and beat cyber threats. Unfortunately, the results indicate that organizations aren’t doing enough to defeat the bad guys. Here are the 10 most neglected security best practices:
1. Classify data based on its sensitivity.
Security experts recommend that organizations classify data at least twice per year so they can reset access rights and ensure that only the right people have access to data.
Reality check: 64% of organizations admit that they classify data based on its level of sensitivity just once per year or even less frequently.
Pro tip: Many organizations rely on users to classify data, which rarely works well. Look for data discovery and classification products that automate the classification process.
2. Update data access rights.
To prevent unauthorized access to data, security experts recommend strictly enforcing the least-privilege principle, as well as reviewing access rights every six months and after important events like an employee termination.
Reality check: 51% of organizations do not update data access rights even once a year.
Pro tip: Look for governance solutions that can assess and control access rights, both as part of an ongoing process as well as ad hoc. Also look for reporting and alerting tools that can ensure it’s all being done correctly and securely.
3. Review data available to everyone.
To reduce risk to sensitive data, security experts say that at least every three months, organizations should check that folders and shares available to everyone don’t contain sensitive data.
Reality check: 76% of organizations are not doing this frequently enough, and some never do it at all.
Pro tip: Look for solutions that can automate a continuous program to discover, classify and secure content regardless of where it resides, so you can reduce your attack surface.
4. Get rid of stale data.
When you no longer need data for daily operations, it should be archived or deleted. To mitigate security risks, experts recommend doing this every 90 days.
Reality check: Only 18% of organizations delete unnecessary data once a quarter, meaning that 82% of organizations are needlessly increasing their threat exposure.
Pro tip: Deploy an automated solution that can find stale data and collaborate with the data owners to determine which data can be archived or permanently deleted.
5. Conduct asset inventory regularly.
Security experts encourage you to identify all your assets (e.g. databases, software and computer equipment) and determine who is responsible for them at least once a quarter.
Reality check: Just 29% of organizations stick to the recommended schedule.
Pro tip: Choose an asset tracking solution that streamlines data collection and analysis to locate every asset within your company. Make sure it is easy to use and fits your needs.
6. Update and patch software promptly.
Installing security updates to your software in a timely manner enables you to mitigate vulnerabilities. The recommended frequency depends on patch and system importance and other factors; it varies from weekly for critical security patches to quarterly for less urgent patches, such as maintenance patches.
Reality check: 33% of organizations do not update their software even once in 90 days.
Pro tip: Establish a dedicated testing environment or at least a segment for patch testing to avoid incompatibility or performance issues.
7. Perform vulnerability assessments.
Regular vulnerability assessments help you locate security gaps and reduce your exposure to attacks. Security experts recommend running these assessments at least once a month.
Reality check: 82% of organizations do this only twice a year or don’t do it at all.
Pro tip: Find products that can continuously evaluate threats to your data and make sure you know which threat actors do most harm to your business. Even better, find tools that provide alerts to reduce the number of false alarms.
8. Create and maintain an incident response plan.
There are several parts to a resilient security response plan: Draft a plan, get it approved, regularly train employees and do test runs.
Reality check: 83% of organizations admit to failing to execute all these stages.
Pro tip: Conduct random tests to see how admins and regular users react to security threats and evaluate how your plan is working in real life.
9. Update admin passwords regularly.
If an administrator’s credentials are compromised by attackers, whether the credential is shared or not, the entire IT infrastructure is at risk. Security experts recommend changing admin passwords at least every quarter.
Reality check: Only 38% of organizations change their admin passwords at least once every 90 days.
Pro tip: Don’t use shared admin passwords, even if you update them every week. Each privileged user should have their own admin credentials and the passwords should be changed regularly.
10. Update user passwords regularly.
While the goal of threat actors is to get administrative credentials, the gateway to that information is oftentimes accessing a user’s credentials. A security best practice is to require users to change their passwords at least every 90 days.
Reality check: 42% organizations mandate a password change less frequently than once a quarter.
Pro tip: Require users to choose strong passwords (with a minimum number of characters and symbols) and change them once every 90 days. Also consider deploying multifactor authentication and single sign-on.
Following these security best practices can help you reduce your attack surface and minimize the risk of security and compliance issues. Rigorously implementing security basics such as finding, classifying and securing your data is essential to preventing attackers from stealing your sensitive data and ruining your company’s reputation.
Ilia Sotnikov is Security Strategist & Vice President of User Experience at Netwrix. He has over 20 years of experience in cybersecurity as well as IT management experience during his time at Netwrix, Quest Software, and Dell. In addition, Ilia is a regular contributor at Forbes Tech Council where he shares his knowledge and insights regarding cyber threats and security best practices with the broader IT and business community.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.