Groundhog Day: IT security habits to repeat and retire
9 min read
02 February 2017
Most of us are familiar with the film, or at least the phrase, Groundhog Day – made popular by the cult film starring Bill Murray.
In Groundhog Day, Murray was stuck reliving the 2 February over and over again, the term is now typically referenced in a negative light: it infers monotony and bad daily habits.
However, when it comes to cybersecurity, the Groundhog Day-like repetition can, in some cases, be a necessity.
Below, six security experts explain the Groundhog Day-repetitive IT habits that businesses should adopt – and also those bad habits they need to break out of, in order to keep their company safe.
Wieland Alge, VP & GM EMEA at Barracuda Networks, on habitually patching your software
Keeping your systems up-to-date is integral to effective cybersecurity. Every part of the IT infrastructure should be habitually inspected for vulnerabilities and brought up-to-date using the latest patches from vendors.
Last year, Edgescan discovered that 63 per cent of all security vulnerabilities could have been eradicated by simply applying security updates.
Vendors regularly release security patches that can help reduce exposure to attacks like phishing emails and ransomware, so keeping everything from operating systems and applications such as browsers, plugins and desktop apps up-to-date is a straightforward and cost effective (free!) way to boost security.
Yes, we all find installing updates annoying, but software patching really is one the best habits to significantly enhance security.
Thomas Fischer, threat researcher and security advocate at Digital Guardian, on ditching bad password practices
Using the same password on repeat on a number of devices is a dangerous habit for users to have.
We hear about data breaches in the news all the time (talk about Groundhog Day!) and if a hacker gains access to compromised login details, they can attempt to hijack email accounts, steal more data and target the victims’ friends, family and place of work in advanced social engineering attacks.
We all log into multiple different services every single day, but how many of those services do we actually have different passwords for?
Most people have just one or two passwords they use on repeat and they’re usually easy for hackers to crack. Companies can help to stamp out bad password habits by educating their staff about what makes a good password (think passphrase, not password).
Even if employees pledge to change just one or two of their passwords each day, they will be improving their personal security.
Businesses should also put policies in place to ensure that employees can’t use the same password for their personal and professional accounts.
They must also ensure that these policies are easy to understand and easy to remember.
Matt Bryars, co-founder and CEO of Aeriandi, on keeping your customers’ payment card data safe
Advances in security technology are making many payment channels safer than ever for consumers. However, they are also forcing professional fraudsters to concentrate on an ever-diminishing number of more vulnerable targets.
One of these is the traditional contact centre, where the huge volume of Card Not Present (CNP) transactions being processed is making them an increasingly attractive target for criminal gangs.
If you handle, store, process or transmit cardholder information, your business must protect that data in line with the Payment Card Industry Data Security Standard (PCI DSS).
Business that are the subject of a security breach and found to be non-compliant could face a hefty fine. Ultimately, protecting your customers’ payment card data is an on-going cyber-security discipline that involves continuous assessment of your operations and addressing any vulnerabilities. It’s definitely not a one-time fix!
Find out the three remaining Groundhog Day habits on the next page
Eduard Meelhuysen, head of EMEA at Bitglass, on protecting data in cloud apps
Cloud apps are becoming increasingly prevalent in the workplace, and with good cause. They are a cost-effective means for smaller organisations to benefit from enterprise level functionality.
While these business cloud apps are certainly here to stay, it’s important that business owners understand exactly what information in being put in them and make sure that all sensitive data is secure, regardless of the app.
This is especially timely given that companies need to prepare for the pending data protection regulation, the GDPR, which has a number of cloud-relevant considerations.
For example, companies need to know the location where cloud app data is being stored, they’ll need to ensure that all apps being used meet GDPR’s security standards and that customer data is not shared with any third parties, amongst other requirements.
When it comes to cloud apps, employees typically set up and use the services on their own with little regard for whether or not they are approved by the business.
The sheer volume of apps available today means that trying to constantly discover and control them is a waste of time and effort.
Businesses need to put in place measures to protect sensitive or business-critical data at all times, wherever it may reside.
Ryan O’Leary, VP Threat Research Centre at WhiteHat on breaking bad web security habits
The scary thing about web application security is that we feel like we’re living out Bill Murray’s Groundhog Day fate of seeing the same thing over and over again without any end in sight.
Serious software vulnerabilities such as cross site scripting and SQL injection flaws, which have been known about for over 15 years, continue to be present on website after website.
Around half of all websites we assess contain at least one cross site scripting vulnerability, which can be used to alter how an unsuspecting victim interacts with the website.
This statistic is particularly staggering considering that it is relatively easy to fix this flaw.
But, as developers are being pushed to build more and more applications as quickly as they can, coding securely is not always a high priority. Until we can make security an integral part of the development of these websites, we’ll never break out of our own Groundhog Day.
Shane Buckley, CEO at Xirrus on regular employee training
According to research carried out by Xirrus, 91 per cent of WiFi users do not believe public WiFi is secure, yet 89 per cent of WiFi users choose to use it anyway. WiFi users are aware of most cyber threats.
But ransomware is the least known, despite its prevalence, evolution and danger – nearly 30 per cent of respondents are unfamiliar with ransomware. Most businesses do not equip their employees with the information and tools to stay vigilant and safe.
Because of this, Wi-Fi users carry the burden of corporate mismanagement. 39 per cent said their employers have offered one or two training sessions in the past year.
With the cybersecurity threat landscape becoming increasingly complex, employees with unsafe cybersecurity habits put both themselves and their employer at risk.
Working with Human Resources, it is up to the organisations’ CIOs, CISOs and IT leaders to put into practice regular cyber security training sessions for employees, so they are not only aware of the risks out there, but also know how to avoid them.