Top 5 Cybersecurity Mistakes Companies Make (And How To Reduce Their Risks)

While many sources discuss the problem of human error in cybersecurity, mistakes often stem from company-wide errors that leave networks, systems, apps and data vulnerable to compromise. Here’s a run-through of five main cybersecurity mistakes many companies make, and what you can do to reduce their risks.  

Five Top Cybersecurity Mistakes 

1. Neglecting effective employee training

A lack of adequate security training is a cybersecurity mistake that can manifest in many different ways. In large organizations with hundreds of employees, cybersecurity training is often treated as a dull and quickly forgotten box-ticking exercise as part of internal IT policies or external compliance mandates. At smaller businesses, there might be no training at all—one recent survey found just 34% of SMB employees reported receiving security awareness training.  

Whatever way it manifests, neglecting effective employee training puts businesses at much greater risk of breaches and compromises due to basic human error. In this case, the company’s mistake directly translates into individual mistakes; people aren’t naturally cyber-aware.  

To improve the effectiveness of cybersecurity training programs:

• Opt for frequent, short training sessions rather than longer one-off sessions to improve retention and keep cybersecurity top of mind for employees. 
• Use interactive modules, simulations and gamified learning experiences to increase engagement and help your employees practice real-life scenarios. 
• Use assessments and feedback to measure the effectiveness of training programs and adapt them based on the results. 

2. Poor supply chain visibility

Supply chain attacks often impact many companies at once and cause general havoc. Threat actors understand the power of compromising a less secure element or company within the supply chain to gain access to their primary target’s systems and data. 

Many companies fail to recognize that their security posture doesn’t just depend on their own defenses but also on the security practices of suppliers, vendors and partners. Reducing the risks of your business falling victim to supply chain compromises starts with thorough visibility into third-party access and dependencies. A recent survey found that 45% of respondents either have no visibility into upstream supply chains or can only see as far as first-tier suppliers.  

To reduce these risks and boost supply chain visibility: 

• Use the help of tools that automatically map the entire supply chain, especially for software that might depend on third-party libraries, frameworks, and other potentially vulnerable code snippets.  
• Create agreements and platforms for secure data sharing between all supply chain participants so that information about supply chain operations is transparent and accessible for your business. 
• Run periodic security audits and assessments of your suppliers, including deep-tier suppliers, to ensure compliance with cybersecurity standards and practices.

3. Underestimating API vulnerabilities

In an app/services-driven world, companies and their applications use APIs to access and exchange information with other apps/services to gain extra functionality. While the APIs are both powerful and useful, companies often underestimate the security vulnerabilities associated with them. Poorly secured APIs is a common cybersecurity mistake that can provide attackers with a gateway to access sensitive data and systems. One recent report found that 60% of companies have fallen victim to an API-related security incident in the last two years.

To get a better grip on API security and reduce risks: 

• Closely study the OWASP Top 10 API Security Risks and ensure your dev team addresses them.  
• Use API gateways to manage, monitor, and secure traffic between clients and back-end services for an extra layer of security. 
• Continuously monitor API use and maintain logs for all API calls to detect and respond to suspicious activities. 

4. Remote access security 

The shift toward remote work expands the attack surface for most companies, yet there are often shortfalls in addressing the security implications of this change. As organizations rely more on platforms like Slack or Asana for communication and project management, they become attractive targets for threat actors seeking to exploit risky default settings, like allowing messages from external parties. There are also often issues stemming from insecure remote connectivity, such as inadequate VPN configurations, use of unsecured Wi-Fi networks and a lack of endpoint protection.   

To improve remote access security:  

• Mandate multi-factor authentication for initial logins to remote desktop protocol, VPN or other remote connectivity software.  
• Audit configurations for team collaboration software and switch any defaults to more secure options (e.g., in Teams, you can disable communication from external tenants).  

5. Inadequate backup and recovery processes

Inadequate backup and recovery processes leave you vulnerable to several additional risks in the event of cyberattacks. For example, without adequate backups, you might feel compelled to pay ransoms in ransomware attacks to regain access to important data/systems. Another risk is that the inability to quickly recover from a cyberattack can lead to severe reputational damage, as important services are unavailable to customers. 

Here, “inadequate” can mean anything from not having a backup and recovery strategy at all to not maintaining off-site or cloud-based backups that are isolated from your networked environment. A lack of testing is also a big problem because when it comes down to the crunch moment, backups can fail (research from 2021 found 58% of data backups fail).  

To improve backup and recovery processes: 

• Develop a comprehensive disaster recovery plan that includes detailed procedures for restoring operations after a cyberattack. 
• Consider cloud-based solutions for redundancy and flexibility in recovering data or services. 
• Follow the 3-2-1 backup rule for data (3 copies of data, stored on at least 2 different types of storage media, with 1 kept off-site).  

Getting Outside Help 

Partnering with an experienced MSSP is another powerful way to reduce many cybersecurity mistakes. MSSPs bring to the table expert knowledge and continuous monitoring capabilities that many businesses lack internally. They can proactively manage and patch vulnerabilities, implement up-to-date security measures, and conduct incident readiness programs.  

Nuspire’s services include advanced threat detection and response, incident readiness, security posture assessments and much more.

Contact us to learn more.