When a severe storm hits, the destruction is palpable -homes flattened, trees on cars blocking yards and streets, and families displaced oftentimes losing all of their belongings. It’s a horrific scene most of us have seen, either firsthand or on the news. Thanks to forecasts, we typically know how storms should affect us, and to some degree we can prepare.

Data breaches are also destructive, potentially fatal to some businesses. However, many businesses can’t see them coming; they don’t have decades of cybercrime research and expertise to turn to, and the criminals are constantly shifting their tactics.

There are some standard ingredients that create the perfect storm for a breach. By knowing them, businesses can protect themselves from becoming a victim. Here are some of the most common ones.

1. Blind to risk

Too often we see businesses turn a blind eye to security. They don’t know where their most valuable data lives and they don’t have a process to track it. According to our 2014 State of Risk Report, 63 percent of businesses do not have a fully mature method to control and track sensitive data. If businesses don’t know where their valuable data is, how can they take steps to protect it?

Many businesses don’t understand what constitutes valuable vs. non-valuable data. For example, payment card information is labeled by most organizations as valuable, but that doesn’t mean non-payment card data is not valuable. Criminals also seek to steal non-financial information such as login credentials, Social Security numbers, health care information and ordinary customer contact information.

2. Too much access

Whether knowingly or not, businesses that give any employee and/or third party contractor access to their sensitive data are opening themselves to an attack. Criminals can also obtain access by guessing a weak password or social engineering. Once they log in with legitimate credentials, they can spend months stealing data without being noticed.

Privilege inheritance is also a common problem. Users are often granted rights to a business’s database, for example, because they are a member of a certain group that has rights to access the information. Criminals may also inherit privileges and log in through a user account that already exists.

3. Unsecured applications

According to our 2014 Trustwave Global Security Report, 96 percent of the applications we scanned in 2013 harbored one or more serious security vulnerabilities. The problem is twofold – application developers are not incorporating security testing throughout the full life cycle of the development process and businesses are not testing their applications to identify and remedy security weaknesses.

When we evaluate businesses’ security, we almost always see holes in their Web applications. Businesses should offer secure code training for their developers using weaknesses they uncover through security testing to show what constitutes weak code and how to make it stronger.

4. Only checking the box

Too many businesses just want to complete the compliance checklist. They want point-in-time protection versus making the investment in full-time protection. If businesses only look at security once a year, they are susceptible to a breach. As criminal tactics evolve and changes are made to a business’s environment, vulnerabilities become commonplace.

Security is a journey, not a destination. It is not achieved through a simple checklist.

5. Anti-virus is the only anti-malware protection

While anti-virus (AV) software is an important security control, it alone is no longer enough. Criminals are now creating polymorphic malware that can subtly evade AV detection. Behavioral detection is key. Businesses should analyze the malware’s behavior in real-time in an isolated environment so that no user is infected. That way they can see how the malware behaves and can strip it out in the isolated environment before it does damage.

When combined, these five ingredients create the perfect storm for a breach. However, even if just one of them exists, that business is susceptible. Employees are the front line of defense against an attack.  They should know what constitutes abnormal behavior and understand security best practices.

Businesses must also continuously monitor their networks for suspicious behavior and meticulously document their security policies and procedures. We often see situations in which only one employee understands the business’s security program; when he/she leaves the company, security is left hung out to dry. Businesses should build a tribal knowledge of their security and compliance programs. Otherwise, they may end up in the eye of the storm.

feature image via Pixabay (creative commons license)