You’ve bought and installed the latest software or device, guaranteed to speed up your business functions, transform tasks for your teams, or to update a clunky out-of-date programme you were limping along on. It’s a big investment and one you’re keen to start using right away.
Luckily, to make your life easier, the manufacturer has set everything up on the new software as default. No tricky passwords or endless configuration steps – everything is sorted to be as open and multi-functional as possible. Because no-one wants to be faffing around at the point of set-up. We just want to get playing!
However this is where alarm bells should be ringing. Accepting manufacturers’ default settings without reviewing or changing them can lead to a serious security fail – if you’re finding it quick and easy to access, the chances are it’ll be just as quick and easy for a cyber attacker. You might as well welcome them in with a cup of tea.
A disaster waiting to happen…
It’s not just leaving settings as default that can pose a threat. ‘Security misconfiguration’ covers a multitude of other sins too, from failing to apply updates or patches regularly, to forgetting to remove unnecessary functions or accounts, or poor password management. Security misconfiguration is reportedly one of the most common gaps that criminal hackers look to exploit - a 2018 report by Rapid7 claimed their penetration tests encountered a network or service misconfiguration in 84% of systems tested.
There are various ways malware can cat-burgle its way into your systems. The obvious route is via email, contained in a malicious file attachment, or accessed via an embedded link. Malware emails might be targeted at individuals such as finance personnel, or might circulate around your whole company: they can certainly be sophisticated and convincing in their nature.
All of which underlines that, amongst all the aspects we’ve looked at across our cyber security blog recently, establishing and actively maintaining the secure configuration of your systems should be regarded as one of the most vital.
When you’re setting up any new IT system or device - computers, other network devices, web servers or application servers – they should all be securely configured to your own baseline to stop attackers gaining easy unauthorised access to your data and systems. They should also be updated regularly, with all recommended patches applied immediately: according to BulletProof’s 2019 annual cyber report, 22% of the high and critical-risk issues reported consisted of missing patches, out-of-date or no longer supported software .
Steps to confident configuration
‘Secure configuration’ isn’t the overwhelmingly technical operation it might sound. Broken down into common sense steps and policies, it’s do-able for any size of business, and is a complete non-brainer when it comes to protecting your operations and data:
Following these practical steps should give you concrete confidence in your configuration; engineered to your specific business needs with some savvy security precautions, your system should avoid being the shoe-in a hacker might seize upon with glee.