In the last two years alone, global spending on security has grown by $30 billion.
Even though organizations are spending more money than ever before to secure their precious information technology assets, breaches are becoming more frequent. Why is that? The answer is simple: one of the biggest vulnerabilities in any organization’s cybersecurity posture continues to be overlooked: employees.
It’s estimated that employees, and the skill-based and decision-based errors they make, are directly or indirectly responsible for 19 out of 20 cyber breaches. One reason why the number is so alarmingly high is that many organizations are not even aware their employees engage in the following activities that put their security at risk.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
1. The Use of Personal Devices for Work
The amount of processing power the average employee carries in their pocket these days is staggering. It’s no wonder then that they’re putting it to good use by doing everything from accessing emails on the go to working fully remotely.
The problem with personal devices used without IT approval is that they expose the entire organization to the following cybersecurity risks listed in this article.
To mitigate these risks, organizations should implement a bring-your-own-device (BYOD) policy to clearly specify the conditions under which employees can use personal devices for work.
In many cases, however, it’s better not to allow personal devices for work at all because the risks that come with them are not always worth the potential productivity gains.
2. Visiting Shady Websites and Clicking on Suspicious Links
The web is a giant playground filled with all sorts of exciting activities, from news sites and social media to streaming sites with both kid-friendly and adult-only content. Employees occasionally visit this playground, but they’re not always careful who they play with.
According to one estimate from 2022, 4.1 million websites globally are infected with malware, while an earlier analysis puts the number at 18.5 million, roughly 1 percent of all existing websites.
Besides websites that may infect their visitors with malware (including hard-to-detect fileless malware), there are also websites that are disguised as legitimate online shops or banking sites and designed to steal sensitive information from those who open them without realizing the danger.
The cybersecurity risk of employees visiting shady websites and clicking on suspicious links can be tackled in two different ways:
- Employee education: One of the most effective ways to stop employees from doing dangerous things online is to educate them about the risks involved.
- Web filtering and blocking: Another approach is to use web filtering and blocking software that restricts access to certain websites or entire categories of websites.
To achieve the best results, it’s recommended to combine these two approaches as mutually complementary parts of a comprehensive cybersecurity awareness program.
CMMC eBook
DoD Contractors Guide to CMMC Certification.
3. Careless Password Management Practices
Passwords are the keys to every organization’s digital kingdom, but employees don’t always handle them responsibly, committing such password management sins as:
- Using weak passwords that are too easy to guess, such as “password123.”
- Reusing the same password across multiple accounts.
- Storing passwords on sticky notes or in plain text files.
- Sharing passwords with colleagues using email or instant messaging.
- Not changing default passwords.
The specific risks associated with these and other acts of carelessness include brute force, credential-stuffing, and phishing attacks. The good news is that some of the worst password management practices can be addressed with set-and-forget policies, while multi-factor authentication and employee education can help with the rest.
Because passwords play a role in 80 percent of data breaches, some organizations are now embracing passwordless authentication as a means of verifying user identity, relying on authentication factors like biometrics, one-time tokens, or magic links instead.
4. Unsafe Data Storage and Sharing
Data is the lifeblood of many organizations, so it’s crucial that it’s stored and shared securely. However, many employees are prioritizing convenience over security, putting sensitive information at risk by:
- Storing sensitive work data on personal devices.
- Using personal cloud storage services.
- Sharing data unencrypted via email.
These and other dangerous data storage and sharing habits can lead to costly data breaches. Because they fundamentally stem from employees’ desire to get their work done quickly and easily, organizations should see them as opportunities to improve—not opportunities to punish.
If employees are storing sensitive work data on personal devices or using personal cloud storage services, then they likely lack a convenient alternative that’s sanctioned by the IT department. Similarly, the use of unencrypted email attachments is often caused by the absence of secure file-sharing solutions.
5. Not Verifying Unusual Requests
The ninth annual State of the Phish report by Proofpoint revealed that 44 percent of people think an email is safe when it contains familiar branding, not realizing that cybercriminals can easily craft branded messages that look completely legitimate.
Often, the unusual requests such messages tend to contain are the only indicators that they may be part of a phishing or some other social engineering attack. Examples of unusual requests whose purpose is to trick employees into divulging sensitive information or granting unauthorized access include:
- A message from a social media site requesting the user to update their login credentials, including their password.
- An email from a financial institution requesting that the recipient verify their account information by clicking on a link and entering their personal details.
- An email from a supplier requesting payment for a product or service that the recipient does not recall ordering.
- An email from a colleague requesting that the recipient download and open an unexpected attachment.
Malicious requests like these are designed to exploit the fact that recipients don’t always bother to verify them, so training employees to always verify unusual requests before taking any action is the most effective way to mitigate this risk.
Specifically, employees should be trained to carefully check the sender’s email address, look out for red flags like an unusual tone of voice or poor grammar, and reach out to the sender directly through a known and trusted communication channel if still in doubt.
6. Installing and Using Unsanctioned Software
Just like a skilled tradesperson is very particular about the tools they use on the job site, tech-savvy employees often have preferences for the software they use to get their work done. But they don’t always bother to ask the IT department for approval before using it.
In the past, forcing employees to use only sanctioned software was fairly straightforward. But with the rise of cloud-based software, employees now enjoy access to a vast range of solutions that can be accessed from any web browser without administrator privileges. As a result, 80 percent of employees now admit to using cloud-based applications at work without getting approval from IT.
The use of any unsanctioned software (both locally installed and cloud-based) represents a major cybersecurity risk because there are many software applications that contain known vulnerabilities or sell user data to third parties. Additionally, unsanctioned software can lead to compliance and regulatory issues, especially for organizations in highly regulated industries such as healthcare and finance.
Just like when addressing the issue of unsafe data storage and sharing, organizations should work with employees to understand their software needs, so they can satisfy them before employees feel the need to do the same. At the same time, organizations should clearly communicate the risks associated with the use of unsanctioned software to deter employees from taking this route.
7. Failing to Install Available Software Updates
In 2022, 26,448 software security flaws were reported according to an analysis by The Stack of Common Vulnerabilities and Exposures (CVEs) data. Out of these, 4,135 were critical, which means there was a publicly available mechanism to exploit them.
What’s really unfortunate is that around 40 percent of vulnerabilities are exploited after a patch has been released. This highlights the critical importance of promptly installing available software updates—something many employees fail to do.
The biggest reason why employees postpone the installation of patches is that they don’t want to interrupt their work or take the time to restart their devices. That’s understandable but not acceptable. Employees need to understand how software updates help protect against cyber attacks and be required to install them as soon as they possibly can—even if it means delivering a report or sending an email 15 minutes later.
Organizations can make employees’ lives easier by implementing an automated patch management solution that pushes updates to devices at regular intervals. Better yet, they can move their infrastructure to the cloud and make patching someone else’s responsibility.
8. Connecting to Unsecured Public Networks
Public Wi-Fi networks, such as those readily found in coffee shops, airport lounges, and other public areas provide a convenient way for visitors to connect to the internet, but the convenience may come at a price, and we’re not talking about network usage fees.
While some public Wi-Fi networks are secured reasonably well, there are also networks that:
- Are set up by cybercriminals with malicious intent. These so-called Wi-Fi honeypots function just like legitimate networks, but they’re designed to capture all traffic that goes through them.
- Are not sufficiently encrypted. This can leave their users vulnerable to eavesdropping attacks, whose purpose is to intercept unencrypted or weakly encrypted traffic.
- Contain unpatched vulnerabilities. Such vulnerabilities can be exploited by cybercriminals and used to plant malware, change configuration settings, and more.
Ideally, employees should never connect to any public Wi-Fi hotspots at all. Instead, they should create their own mobile hotspots using their smartphones and cellular data connections. A Virtual Private Network (VPN) service can also be used to securely transmit data across a public Wi-Fi network, but this approach leaves some room for user error and data leakage.
Organizations that have moved their infrastructure to the cloud are far less likely to suffer the potential negative consequences of their employees connecting to unsecured public Wi-Fi networks because all reputable cloud providers implement HTTPS encryption to protect data in transit.
It’s Time to Strengthen the Weakest Cybersecurity Link
As we’ve seen, there are many ways employees can become the weakest link in an organization’s cybersecurity defenses. To ensure they won’t, it’s important to invest in employee training and education so that employees understand the consequences their actions may have.
Organizations should also update their cybersecurity policies to enforce best practices and establish a dialogue with employees to better understand the reasoning behind their risky actions. That way, they can find and implement solutions that provide employees with a safe way of getting things done.
If you’re looking for a managed IT services provider who can help you address the cybersecurity risks described in this article, contact us at OSIbeyond.