ZDNet reports that the majority of data breaches involve vulnerabilities that companies should have fixed long ago. Here's a roundup of the exploits we saw in 2014:
- 70 percent of the top exploits had been known for at least a year.
- 44 percent of breaches came from vulnerabilities that were between two and four years old.
- 33 percent of infections in 2014 exploited vulnerabilities from as far back as 2010.
As you would guess, hackers excel at finding these legacy software flaws and exploiting them. When companies don't patch and update software, they're basically holding onto code that criminals already know how to exploit. It's easy picking for cyber crooks.
Legacy Software Risk and the Workplace
The Verizon Data Breach Investigations Report found that almost 80 percent of data breaches were crimes of opportunity. What does it mean? Having a security flaw in software is like leaving the window open in your house. It doesn't mean that someone is going to break in, but it means they could.
With relatively simple tools, hackers scan websites and networks to see if any "windows" have been left open. If hackers find the opportunity to strike, they do. Unpatched software and the use of legacy IT are two of the reasons most data breaches are crimes of opportunity.
Some of your clients may use clunky programs and platforms, such as Internet Explorer, Flash, and Java. Given the many vulnerabilities that are found in these applications, ignoring patches and updates to software can leave clients exposed. These platforms aren't strong enough for business-level cyber security. As the IT guru, you need to educate your clients about their cyber risk exposure.
How to Manage Your Clients' Cyber Risk Exposure
There's a bit of a divide in data security – some IT consultants think sys admins need to focus on preventing breaches, while other think that more attention should be paid to minimizing damage.
It's a bit of a false dichotomy. You can do both...
- In order to prevent breaches, you can make sure client software is updated and robust anti-intrusion software is in place.
- To minimize damage, you can focus on better encryption standards and minimizing the number of accounts that can access protected data.
There's also a third component: providing secure alternatives to risky behavior. Given how common BYOD and shadow IT have become, IT consultants should remember that part of their responsibility is to find a way to replace these riskier behaviors with the safer, approved IT. For instance, you can provide your clients alternatives like VPNs and private clouds to allow employees to securely access work data while working remotely or on private machines.
Going forward, make sure to do the following:
- Educate your clients about the risks of running old, unpatched software.
- Be wary of BYOD workplaces.
- Provide safe alternatives to IT workarounds that might be running on non-secure platforms.
To learn more about more about secure IT alternatives to spotty software, see "For Technology, Safe Is the New Sexy."