Nine IT shortcuts that could cost you millions 

Finding savings and efficiencies is part of an IT leader’s role. But sacrificing security for the sake of convenience is almost always asking for trouble later down the line. There are IT security shortcuts that might be well-intentioned and seem sensible at the time, that could have serious and unintended negative consequences. We’ll run through nine common IT security shortcuts that can end up costing organizations millions.  

1. Exposing remote management admin interfaces to the internet  

In a remote or hybrid organization, it’s likely an IT team will need to carry out remote management at some point. The benefit of exposing this administrative interface to the internet is that it can be done from anywhere. However, if there’s any issue with the device in question such as a vulnerability or credentials mistake, there are now more than a billion others who can administrate it.  

The most common place to get breached is in a system you didn’t even know you owned. You should know exactly what you’re exposing to the internet – including services, not just devices. Anything that doesn’t have to be internet-facing, probably shouldn’t be. For the assets you do have, ensure that you have as much automated maintenance as possible to free up resources. If any major incidents do happen (like with the MoveIt hack) find out quickly whether you’re affected and act.  

Tip: Don’t expose remote administration over the internet. Ensure a VPN is needed to get to it and keep your VPN servers hardened and patched. 

2. Reusing passwords (even strong ones)  

Say your password policy enforces end users to create random 20-character passphrases for their Active Directory passwords. They contain numbers, special characters, and even a deliberately misspelled word – they’re also checked against a database of known breached passwords. This policy would ensure your end users have strong Active Directory passwords, but would also count for nothing if they’re reusing passwords across multiple devices, applications, and websites for convenience. 

A vulnerability in just one of those applications or websites could expose all its users’ credentials without them knowing. If hackers steal a database of passwords, they can work to tie a set of user credentials to an individual and discover where they work. This could offer an easy route into your organization. And every time a password is reused, the chances of this happening are multiplied.  

Tip: Despite training, there’s no foolproof way to stop end users reusing passwords. Having a solution that continuously checks your Active Directory for known compromised passwords can reduce the risks of password reuse.  

3. Unnecessarily working from your admin account

If you’re an IT administrator in your organization, it might be more convenient to work from your IT admin account. You won’t need to context-switch and can watch just one inbox. However, if your system is compromised by a drive-by-download or something similar, you’ve lost the entire organization to ransomware instead of potentially your laptop. If you use a domain admin account when enrolling laptops, access tokens may also be cached locally and this means that even if the victim isn’t you, your actions have put the organization at risk. 

It’s less convenient, but this is why it makes sense to have a user account with lower privileges where you do your day-to-day work, and an admin account you use only when you need to perform privileged operations.  

Tip: Multiple accounts may cost money and be a slight hassle, but it’s cheap compared to the risks of an admin account becoming compromised.  

4. Losing track of network changes 

Many modern organizations choose to work in an agile way. If they also have a large network estate and many connected services, there’s a requirement for everyone to follow process and quality controls. People are trusted to take on this responsibility themselves so as not to dent speed and productivity, but this does pose challenges from a security perspective.  

There will always be websites or services popping up, API-changes, configuration updates, and other sources of constant change. If security can’t keep an eye on these changes, they won’t know the state of new and existing services or sites, and therefore might struggle to defend them. 

Tip: Continuous security solutions such as EASM allow you to keep track of your organization’s entire exposure and run continuous automated scans to monitor all networks and applications. 

5. Failing to isolate backup servers 

If you’re running a large network, it might be simpler for your IT administrators who run the network to also administrate the backup solutions on your data centers from the same accounts or infrastructure. However, this could risk both becoming compromised at once. Ransomware groups will often start by trying to identify your backup solutions, and if they can compromise an account with access to both servers and backup solutions, they can entirely prevent all possibilities of a restore.  

Organizations should do all you can to achieve separation and ensure an attacker can’t transition from the normal environments into the backup systems. 

Tip: Separate your accounts and environments to ensure the backup servers are neither related to the same administrative accounts, or infrastructure, as the main networks.  

6. Cutting costs on security assessments  

Some organizations choose to run table-top exercises to predict the effectiveness of their security controls. This can be a cost-effective way to get a perspective on your overall security posture, as you can rely on your own engineers who know your organization best. Although this does mean you’re basing a lot on assumptions. If your engineering team designed your security, they did so from their own perspective. Having them assess their own security is risky, as they know how it is intended to work and will test it accordingly. 

Tip: To truly challenge your security, enlist an independent red team to measure your organization’s resilience with new ideas and perspectives, otherwise you’ll never learn your true ability to detect and respond to threats.  

7. Falling behind on patching   

Patching is sometimes seen as a project; something to be done at a certain date to bring security up to scratch. This might be simpler, but it’s not the best way. Patching should be a constant and recurring responsibility – it’s too important to be viewed as anything else. Running patching as a project at a set date will lead to periods where your systems are more vulnerable.  

Security is predominantly preventive work, so it’s important to keep in control of patching and measure your progress. Such comparisons can easily be made using features such as group trending reports in a Risk Based Vulnerability Solution (RBVM) solution, giving detailed insights into the comparable risk level of your teams and environments. 

Tip: Establish KPIs for the operations teams in mean time to patch/resolve vulnerabilities and act on discrepancies in behavior between teams. Consider investing in an RBVM solution 

8. Assuming hackers won’t target you  

This is a shortcut some organizations might not even realize they’re taking. By assuming hackers are more likely to focus on only the biggest organizations or most high-profile industries, they might be tempted to take a more relaxed approach to security. If you assume that no one is actively targeting you, then you are most likely correct. But if your security has holes, you’re far more likely to be targeted on an opportunistic basis. 

It’s important for every organization to get to grips with what threat actors around them are doing, either by finding special interest groups, reviewing national CERT information, or (best of all) gaining access to a threat intelligence source. 

Tip: Threat Intelligence solutions can help you understand your level risk – and what those risks constitute. For example, what is being said about your organization on the dark web. 

9. Sacrificing security for end user experience 

There are people of different backgrounds and skillsets spread out geographically in modern organizations. Some will be more technical than others, so it’s a risk to sacrifice end user security for convenience. There will be end users in your organization who won’t take security as seriously as you – and they could be the opening that hackers are looking for. For example, it might be tempting to simplify remote access requirements, but you are then one failed identification of a user away from getting attackers on the inside of your organization. That could get expensive, fast. 
Tip: Find a solution that enables you to authenticate users remotely via multi factor authenticators, which can balance out end user experience with security. For example, a Secure Service Desk solution that’s easy for end users while also protects service desk against from social engineering.  

Reduce your risk today  

Interested in discussing any issues raised in this blog further? Speak to an expert and learn how Outpost24 solutions could fit in with your organization.  

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.