You’re a security expert, but chances are your users are not. Employees are the number one risk in corporate security. They fall victim to phishing emails, download malware accidentally, and leave data exposed from stolen laptops and mobile devices. Since they are an organization’s biggest risk, you have to provide security awareness every year. Here are seven of the worst security errors created by your own personnel.
1- Poor Passwords or Password Management
You can require complex passwords on the network, but you can’t control the way an employee manages those passwords. You also can’t control poor passwords on personal devices that contain sensitive company data. No employees should keep their passwords on a Post-It on their monitors, but some do!
2- Phishing Emails
Stealing corporate data is a target for entrepreneurial hackers who want to sell the data to a competitor. The best way to do this is through phishing emails intended to steal the employee’s user name and password. This allows the hacker to log into the network as if he/she is an authorized user and hence makes it difficult to detect. Hackers are able to gain access to bundles of data before the company suspects there is malicious activity on the network.
3- Not Locking a Computer Before Walking Away From It
Screensavers can be set to automatically lock the desktop after several minutes of inactivity, but that doesn’t stop an employee from walking away from the machine leaving it open for several minutes. Your security policy should ask employees to lock machines with the screensaver password lockout option even if it’s only for a few minutes at a time.
4- Using Insecure Wireless Connectivity
If your users have wireless company devices, they should always connect to Wi-Fi using a secure connection. Open Wi-Fi with no passcode protection leaves all data open to eavesdroppers including company passwords, documents and emails.
5- Falling Victim to Social Engineering Attacks
Social engineering is the new phishing tactic. Social engineers call employees pretending to be official network administrators or helpdesk personnel. The attacker convinces the employee to give them access to the system by repeating their employee user name and password.
Piggybacking falls into this category as well. Piggybacking is when an unauthorized user is able to gain access to the premises by following an authorized employee through the perimeter door with badge access.
6- Granting Unnecessary High Privilege Access to Personnel
In most organizations, the data owner is given full control over who has access, whether directly or through official paperwork submitted, to security. Most users don’t follow the need-to-know policy that comes with good security. Users should be taught discretion when granting access to each individual employee. Only give employees access if it’s necessary for them to perform their job.
7- Using Unauthorized Apps for Business
The cloud offers several advantages for collaboration and sharing documents. Unfortunately, using personal accounts such as Dropbox or Google Drive for private business data can lead to accidental breaches. If the employee has poor password habits and gets a private account hacked, your data is exposed and stolen.
For all 7 of these risks, the answer is to provide employees with security awareness training. The more an employee understands the risk, the fewer incidents reported to security personnel.
Leave a Comment