The 6 Most Common Cyber Security Mistakes Employees Make
These common cyber security mistakes could get your company hacked.
With an estimated 90% of cyber attacks caused by human error or behavior, it’s important to understand the most common cyber security mistakes your employees are probably making and know how to mitigate them.
Becoming victims of phishing schemes
Stolen login credentials are the most common way hackers breach enterprise systems, and most of the time, these credentials are stolen through a phishing scheme. A highly targeted variant of phishing, called spear phishing or business email compromise, is used to convince employees to wire money or send sensitive data, such as W2 information, to cyber criminals.
Avoid having your employees make this cyber security mistake by educating them about the warning signs of a phishing scheme. Organizations must also establish policies against sending sensitive data through email, ensure that employees have access only to the systems and data they need to do their jobs, and add redundancy into payment approval processes, especially wire transfers.
Mistakes involving login credentials
This is a broad category of cyber security mistakes that includes:
- Using weak passwords
- Not using multi-factor authentication whenever possible
- Reusing passwords
- Sharing login credentials
- Writing credentials down and leaving them in public areas, such as sticky notes in the work area
- Leaving a terminal unattended without logging out first
Most of these security mistakes can be avoided through employee education on the dangers of not keeping login credentials secure. Organizations can also employ technical measures to force login sessions to automatically time out when a terminal is inactive, require the use of MFA, and automatically generate strong passwords.
Using shadow IT software and services
Over three-quarters of employees admit to using shadow IT software and services at the workplace. Most of the time, their intentions are not malicious. They are simply trying to do their jobs better, and they do not realize how dangerous shadow IT can be to security and compliance. Employee education is the best way to head off this security mistake. Technical tools can also be employed to ferret out shadow IT apps.
Inserting “mystery” devices into workplace computers
A common social engineering tactic is for hackers to leave USB thumb drives and other plugin devices in public areas where employees will find them. Sometimes, the devices will have labels meant to entice employees to want to covertly access them, such as “Q4 Performance Reviews” or indicating that the device contains pornographic content. Employees must be educated about the dangers of making this security mistake.
Making security mistakes when using public WiFi
Free public WiFi networks are ubiquitous, found everywhere from fast-food restaurants to aboard trains. Remote workers and employees who frequently travel for business often take advantage of public WiFi to work on the go. As with shadow IT apps, this is usually because of a security mistake, not maliciousness or negligence; employees don’t realize how dangerous public WiFi is. In addition to educating employees on best practices when accessing public WiFi networks, organizations should provide VPN access to all employees who work remotely.
Not protecting computers and other IoT devices
This security mistake involves physical protection as well as password protection. In a recent survey, over half of working adults admitted to allowing friends and family to access devices given to them by their employers. Employees who travel for work may also leave devices unattended in public areas or hotel rooms or allow strangers to “borrow” their smart phones.
Employees who travel need to be educated about best cyber practices when traveling. Organizations should ensure that these employees’ devices are protected with strong passwords, multi-factor authentication, or a biometric lock. If possible, have disposable phones and laptops on hand to loan to employees for travel purposes. If an employee must travel with a device that contains sensitive data, make sure the device is encrypted.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.