Humans are often cited by businesses as a weak link in the cybersecurity chain. And while some people tend to focus on the threat posed by malicious hackers or bitter insiders, it is actually unintentional mistakes and compromises that are a much bigger issue.
Check out these seven ways that your employees could unwittingly compromise your organization’s cybersecurity, as well as some of the measures you can put in place to mitigate the risk.
1. Using personal devices The rise of bring-your-own-device (BYOD) means that more employees are using their own devices to read company emails and access sensitive business information. Unlike business-owned devices, which can be easily audited and controlled by your IT team, personal devices may not have antivirus software installed, and could have a huge range of other exploitable weaknesses.
A recent report from Verizon revealed that 79 percent of companies consider their own employees a “significant threat,” and that some of the riskiest behaviors for employees using BYODs included downloading mobile apps and visiting questionable websites.
2. Connecting to public Wi-Fi hotspots A huge number of workers use wi-fi hotspots in order to send and receive work emails, or even to access company files and information. Whilst being able to work on the go might be good for employee productivity, using public wi-fi is not without cybersecurity risks. Most notably, public wi-fi networks can be used by cybercriminals to eavesdrop on communications, steal files and distribute malware.
3. Surfing the web Cybercriminals will often look for ways to compromise reputable and popular websites in order to distribute malware or intercept communications. Employees browsing the web need to be extremely careful and avoid sharing details with sites that don’t display a padlock, which indicates connections to the site are encrypted.
In so-called watering hole attacks, hackers will purposely seek to compromise websites that an organization’s employees are known to visit regularly. NotPetya, ransomware believed to have originated in the Ukraine and spread via a compromised government website, is one major example of this.
4. Downloading unsafe content Employees need to take serious care when they download files or applications. The issue here is not only that downloads can contain malware, but they can also unintentionally introduce new vulnerabilities that attackers may seek to exploit. Open-source software can be particularly vulnerable to compromise owing to the fact that it is widely used and that cybersecurity is often not a high priority of developers.
5. Practicing poor password security Despite constant warnings about the risks of poor password security, employees are still routinely failing to practice strong hygiene in this area. There are actually many reasons for this—and it’s not just because users are lazy or have too many accounts to manage. In some instances, businesses are actually encouraging poor practices by asking employees to share credentials, in order to reduce the need to purchase additional licenses for software.
6. Falling foul of phishing scams Unfortunately, it is still common for individuals to fall for phishing emails. Recent statistics reveal that 1 in every 99 emails is a phishing attack which makes them a real danger to businesses. If employees aren’t able to recognize phishing attempts, they can end up inadvertently disclosing sensitive information, transferring payments for goods and services to unintended recipients, and installing malware.
7. Collating Dark Data Dark data is information that is collected by businesses, but is forgotten about and now has a clear owner. Such information could include old emails, versions of documents, meeting minutes and customer or supplier information.
Dark data can be extremely valuable to cybercriminals. Some employee practices, such as CCing too many people on emails, are actually contributing to the problem of businesses being able to secure and manage it.
How to mitigate employee security risks To mitigate the security risks and challenges posed by employees to your business, it’s important to foster a strong security culture. Educate staff about maintaining good cyber hygiene as well as how to spot the latest phishing scams.
It’s also important to take practical steps to protectively monitor networks and endpoints. Mistakes will happen so having people and technology to swiftly detect and respond before they can develop can be extremely important. If your organization lacks security resources, then a 24/7 outsourced managed detection and response service is a great option to quickly bolster the protection of your business.
This article was originally published on the EO Global Octane Blog.