Every recent study of security vulnerabilities has come to the same conclusion: The human factor is a greater risk to organizations than flaws in technology.
And that, most experts agree, is in large measure due to a lack of security awareness – people are either unaware of increasingly sophisticated threats, or they get careless.
There is, of course, no such thing as 100% security. But it could be a lot better if workers at every level, in every organization, avoided the common security awareness mistakes listed below.
The list was generated with the help of several security experts, who also offered advice on how organizations can minimize or even eliminate them:
1. Falling for phishing: One of the most common mistakes. It can include clicking on malicious links or attachments in phishing emails, on social media sites like Facebook and Twitter or even “ads” on websites that look legitimate. Criminals have gotten much better at making them look authentic, as if they come from a friend, family member or major, established companies like those that ship products to your home.
The fix: Train employees – regularly – to be skeptical of everything, and to click only on links that they are certain have come from a trusted sender. Organizations should run their own “sting” operation, to see how many employees are fooled by an in-house phishing attack. It will raise the awareness of workers who fall for it.
David Monahan, research director, Security and Risk Management at Enterprise Management Associates, warns that even emails from what appear to be trusted friends or family members can be fake.
“Does it seem out of character for them? If so, don’t click it,” he said.
Also, any email that asks you to “verify” your credentials is likely malicious. If you think it is worth checking, call the company or go to its website.
Dave Frymier, CISO at Unisys, added that there are plenty of security awareness products on the market to help with training.
2. Unauthorized application or cloud use, known as shadow IT: Dan Lohrmann, chief strategist and CSO at Security Mentor, said this includes posting private, or uncontrolled, data to the cloud.
Frymier agrees. “This comes in a lot of forms,” he said. “Anything from installing ‘gotomypc’ to buying cloud virtual machines and using them for corporate purposes. It amazes me how people can do these things without realizing the dangers.”
The fix: “This For example, offer a reasonable cloud storage solution that is approved, rather than just saying no.”
3. Weak or misused passwords: It doesn’t take an expert to know that using a default or simple password is like leaving the company door unlocked. But misuse also includes using the same password for multiple sites and sharing them with coworkers.
“Because everything demands a password we tend to do a lot of credential duplication between our various sites,” said Monahan. “It goes back to ease of use.
“But this is a critical and sometimes tragic error. Many crucial accounts are hacked because an attacker gets access to email or some other seemly innocuous account where users have reused their credentials with another far more sensitive account, such as banking or health care,” he said.
The fix: Make it easier to manage multiple, complex passwords, to reduce the incentive to re-use them. Security and encryption guru and Co3 Systems CTO Bruce Schneier is among numerous experts who have recommended creating passwords by using the first letters of a phrase or sentence that is easy to remember, with a few numbers and/or symbols thrown in. He and others also recommend using a password manager – there are a number available.
Two-factor authentication also improves security, especially for common apps such as Google Gmail or Facebook, experts say. So don’t rely on a password alone.
Finally, don’t share passwords with anybody – that means anybody.
4. Remote insecurity: This is the common practice of transferring files between work and personal computers when working from home, or allowing family members to use a work device at home. Frymier said it can also include backing up corporate data to a third-party cloud service.”
This not only exposes the company to malware, but Monahan said it also “leaves data and data residue – data left post deletion that can be retrieved with proper tools – on an unmanaged system.”
Beyond that, it can expose the user to legal troubles. If there is a lawsuit that involves e-discovery and attorneys find that an employee had any of the data in question on a personal device, “they can subpoena your system and all that is on it for review and associated scrutiny,” Monahan said.
The fix: It ought to be company policy – one about which employees get regular reminders – that there needs to be authorization for corporate apps or files to be used on personal devices.
This is an area where technology can help improve security, through rigorous encryption.
Lohrmann added that, “good identity management systems can control user access and provisioning – who can do what and when – and reduce the number of passwords needed to access applications.”
5. Disabling security controls: This is usually done by users with administrative privileges, to make things easier for employees to use, but it can have catastrophic consequences. Obviously, if a security measure is disabled, it offers no protection.
“This is huge,” Monahan said. “The ongoing battle between security and usability is one of the biggest rubs.”
The fix: Among other things, organizations should forbid web surfing from administrative accounts. If an employee does fall victim to malware, it will be much less likely to get the level of permission it needs to install or at least persist.
Frymier said these days this is a problem any IT department should be able to prevent. “Most things in the anti-virus/malware and authentication world can be locked down so they can’t be disabled,” he said.