In the previous post, we discussed the fact that many organizations are creating security risks by handing out local admin rights to too many users. The goal is to keep users happy by providing them with more control of their devices and reduce reliance on IT, but the convenience factor shouldn’t outweigh the security risk.

In a previous post, we discussed why access control isn't just about restricting network access to users with legitimate credentials. Access control should also restrict access to sensitive systems and data to specific users. When employees have free rein across the network, it’s like opening up a buffet for hackers who steal credentials.

Most organizations have some kind of mechanism in place to determine who is allowed to access their IT systems and to authenticate that access. But many organizations give little thought to the type of data that users are allowed to see. Although access to some sensitive data, such as financial or private customer data, tends to be restricted, the average user with legitimate credentials will be able to view, modify, copy or delete a large proportion of data across the IT environment.

Products featuring the latest version of the Wi-Fi security suite will soon be hitting the market. Devices that support the new Wi-Fi Protected Access 3 (WPA3) protocols will feature significant security upgrades, including stronger password protection, more robust authentication, and increased cryptographic strength for both public and private Wi-Fi networks.

The traditional username-and-password for authentication is a prime example of how organizations are making a hacker’s job much easier than it should be. It’s not just about people using weak passwords or the same passwords for multiple accounts, and it’s not just about companies failing to enforce password best practices.

People tend to think of identity theft as a consumer problem, but it’s a business problem, too. Businesses are more attractive targets, not only because they have more money and higher credit limits, but because vital information that’s required to be public can easily be stolen and exploited.

The city of Atlanta is still feeling the effects of a March ransomware attack that disrupted city government operations for days. News reports indicate that the city has already spent more than $2 million cleaning up from the “SamSam” virus attack, and city officials have estimated that they may need another $10 million over the next year.

It’s not uncommon for organizations to provide business partners and vendors with access to IT systems and data. In some cases, a partner could be storing the other organization’s sensitive data. The assumption is that the third party will act responsibly, but that’s far from guaranteed.

There was a time when a “Great Wall of China” approach to IT security was sufficient. Just focus your resources at the network perimeter to keep invaders out. As long as nobody leaves the kingdom, you’re good to go. Unfortunately, IT resources have jumped the wall, so to speak, thanks to the cloud and mobile.

No organization on the face of the earth is immune to a data breach. Some organizations are more prepared than others to detect and prevent attacks. Some are more prepared to respond to attacks and minimize the damage. But make no mistake, every organization is at risk.