Top 5 security vulnerabilities are always the same

The research and analyst firm techconsult issued a summary of the five major security vulnerabilities in SMEs and public organizations in Germany at the start of 2017. Their annual study Security-Bilanz Deutschland reviews IT and information security based on a representative survey of more than 500 interviews in companies and non-profit organizations. The results are sadly not that surprising each year. Although the organizations surveyed are aware of the problems and have the resources to deal with them, unfortunately they either approach issues through the wrong channels, inconsistently or too late.

It is no surprise that mobile devices take second place in the ranking, only succeeded by the poor implementation of complex security measures. Analysts particularly criticize that privately owned mobile devices are tolerated within organizations but they are often not seen as part of overall IT security strategy and few organizations manage mobile devices centrally. More than 70 percent of SMEs make this critical mistake, which is especially dangerous given the growth of mobile networks. If a VPN is used, at least the VPN connection from the mobile device can be managed centrally and some VPN clients allow other components such as the firewall to be controlled and monitored centrally through the client.

The two most severe security vulnerabilities are closely followed by a lack of proactive measures. In general, it is actually cheaper in terms of time and money to take preemptive action rather than dealing with the fallout after an attack. However, security audits, penetration testing and regular tests of emergency response plans are unpopular and often neglected by managers. Seemingly only damaging events attract sufficient attention. It may be easier to show more understanding for the fourth security vulnerability which concerns gaps in authentication. Although passwords are outdated, it is often costly and requires extensive time-consuming lobbying to implement an alternative throughout an entire organization. Nobody would take on the hassle of implementing a token and complex password system if they did not absolutely have to. Still it’s important here to keep the future in mind: Networks and data are increasingly becoming the most important asset of companies, even more so than manufacturing equipment or products. Accordingly, information security must be raised to a higher level. A VPN is often a good starting point for doing so. VPNs are normally equipped with two-factor authentication. Anyone familiar with tokens or SMS PINs has a good basis for expanding the procedure across the entire network.

Ultimately, it depends on people whether security in the company will be successful or not. If employees do not adopt security procedures correctly, there will always be vulnerabilities that can be exploited. If this happens accidentally, it is unfortunate. Security incidents caused by negligence or ignorance should be ruled out by guidelines, training and meaningful security measures which do not hinder productivity. Regular exercises, training and awareness campaigns put employees in a better position to detect attacks and react appropriately in the event of an attack. Even simple instructions on how to deal with e-mail attachments from unknown senders can already massively reduce risks to an organization’s network.