9 ways employees compromise security

When we hear the words ‘data security breach’, do we picture a shady character in a dark basement working hard to hack into a network? Or perhaps we picture something out of a sci-fi film? A supergroup of cyber-attackers, complete with sophisticated cybersecurity tools, looking to conquer the world?

Maybe sometimes. But for businesses, it might come as a shock that one of the greatest threats to data security is likely to be sitting at a desk in the office. While hackers are increasingly sophisticated, much of the danger to a company comes from within. To be fair, poor training or poor data security policies may be to blame, not malicious intent.

We all make mistakes, no matter how much we try our best to avoid them. And with cybersecurity, it’s no different. Unfortunately, according to a study from IBM, human error is the leading cause of 95% of cybersecurity breaches.

There are unlimited ways in which human error can jeopardise our company’s information security, but there are some types of errors that are more common than others. Here are 9 of the most common ones:

1. Insider threat

Let’s start with the most depressing part and get it out of the way. The cost of the average insider incident is now more than AUD20 million, and while they are rare security incidents, malicious insider threats are difficult to detect and more costly than those that come from external sources.

We can all agree that a few bad apples can get past HR, but the reality is it is happening at an alarming rate with an increase of almost 50% in the last two years. Most malicious insider attacks come from disgruntled employees, and are more likely to happen in the month before and after an employee leaves an organisation. If an existing employee still has access to email or VPN logins after they pack up their desk, they have the perfect opportunity to hack into their former workplace’s servers or emails.

2. Weak password management

Employees commonly use the same password on different websites or different but easy-to-guess passwords, such as birthdays or their hometown. It may seem like a smart way to save time or keep track of passwords, but it’s similar to turning on a neon sign and letting malicious actors know we’re open for business. A brute force attack would allow hackers to access other accounts of employees and steal confidential company data.

Tips to make passwords strong:

3. Phishing attacks

Scam emails used to be fairly simple to spot as phonies, but phishing emails today are so well disguised that they can’t be detected, like a chameleon in camo print. Phishing emails mislead recipients into thinking they are real but allow cybercriminals to access devices and data when they are clicked. Phishing emails often appear to come from reputable organisations, but they contain misspelt names, deceptive URLs, or extravagant offers of assistance or discounts.

We need to make security awareness programs a regular part of our employees’ work routine, which includes phishing attack training modules and keeping them updated on new scams as they happen.

4. Access social media

Few people in today’s digitally connected world can go a whole day without sneaking a peek at their social media or browsing the internet for the latest airfares to Bali (we’re definitely not guilty of this…). But employees who use their company’s internet for these non-work related reasons can accidentally access websites that have malware or clickbait, which can lead to harmful content being downloaded. Threat actors can access networks with more sophisticated methods, hiding malicious activity until it is well embedded in company systems.

We ought to ensure our networks are protected with endpoint monitoring and detection, and always encourage employees to use the internet wisely and securely (and save the NRL Grand Final live tweeting for their personal devices).

5. Patch updates

It is pretty common for employees to be so busy they will get a notification to update software and shelve it for later on, and then completely forget about it. Out-of-date patches can quickly become a serious issue for businesses if they are related to security bugs or issues. Threat actors can take advantage of any vulnerabilities that are found and infiltrate networks or systems, launching a ransomware attack or stealing sensitive data.

6. BYOD use

Personal mobile devices have been beneficial for work purposes over the last few years (insert an Oscar-worthy thank-you speech for our mobile devices here) but they come with a security cost. The danger of cyber-attacks on personal devices may be higher, and they may be discarded or sold in an insecure manner. Using personal devices on a corporate network may result in malicious software spreading across the firm, or email security being threatened.

Employees should use multi-factor authentication for their laptops and phones for work-related activities, and the business network should be monitored to identify traffic and users if employees need to use their own devices.

7. Unsecured network access

Using public Wi-Fi to access business networks and data remotely is riskier than going on a rollercoaster after lunch, as hackers can intercept or steal data or credentials. Remote employees may not be working in traditional office settings, particularly if they are travelling or utilising public networks often. Network security – by using a VPN and ensuring data is encrypted in transit and at rest – is vital in these situations.

8. Downloading unsafe content

An employee installing a file or application without proper caution may unintentionally introduce new vulnerabilities, such as malware, that attackers could exploit. If a network administrator has full control over the devices their employees are using, they can restrict what employees are allowed to install. This is important as software is granted access to almost every aspect of a computer’s functioning after it is installed.

9. Poor security culture

Let’s finish on a positive note – most employees don’t generally set out to endanger their organisation with cybersecurity breaches or data breaches (phew!). These incidents occur as a result of a lack of security awareness. Security awareness training can help employees better understand data breaches and how to reduce them across an organisation. In order to build a strong security culture, security awareness training should be consistent, engaging, and relevant.

Boost business security with the experts

It’s important to keep in mind that our employees were hired to help grow the company, not to make it weaker through poor security practices. With the right policies and tools, we can protect our companies not only from faraway hackers and cybercriminals but also from people just a conference room away. The cybersecurity experts at Atarix can make sure employees are not the weakest link in the security chain while strengthening overall business IT security for safer processes and protected customers.