Cybersecurity risk management is often viewed as building up exterior defenses against unrelenting outside threats. But sometimes, the most considerable risk lies within. Verizon’s 2023 Data Breach Investigations Report says 74% of all breaches involve the human element. An organization’s employees can pose a significant cybersecurity risk, whether through simple user error, negligence, misuse of privileged access, stolen credentials, phishing, or other social engineering scams. While an unhappy worker or malicious vendor may leverage their credentials and unchecked access to cause harm or for personal gain, recent Kaspersky research shows careless or uninformed staff are the second-most likely cause of a severe security breach. Let’s examine three common ways that otherwise well-meaning employees increase cybersecurity risk and what your organization can do to combat them.
Common Employee Mistake 1: Weak Passwords
NordPass’s Top 200 Most Common Passwords features a pair of passwords used more than 4 million times each in 2023: “123456” and “admin.” Using these and other similarly weak passwords poses an active security risk for individuals and the entire organization, especially from a “dictionary attack.” Malicious actors often use this type of password-cracking technique to identify users’ credentials using lists of easily guessable passwords.
Solutions for Password Security
- Create strong passwords. When a password is necessary, NordPass recommends that it be at least 20 characters long and include uppercase and lowercase letters, numbers, and special symbols while avoiding guessable information such as birthdays, family names, or common words.
- Use multi-factor authentication (MFA). In addition to frequent updates, limiting login attempts, and strong password formulation, requiring employees to use MFA can significantly decrease risks related to breaches or attacks through stolen credentials. According to Microsoft research and the company’s security experts, using MFA can prevent 99.9 percent of account compromise attacks.
- Use authentication and access management solutions. Eliminate using passwords whenever possible by using authentication solutions, such as Duo Access and SecureAuth. Biometric authentication, such as fingerprint scanners, iris scanners, and facial recognition, is another safer alternative to passwords.
Common Employee Mistake 2: Oversharing Personal Details Online
While sharing or participating in social media may be entertaining, posting pet and children’s names or other personal information is an opening for a cyber attack. Prompts allow hackers to collect certain information for a targeted spear phishing attack.
Your employees should know anything they post publicly could be used by a cybercriminal targeting them. For example, a phishing email purporting to be from an organization’s head of accounting may be more successful if it opens with, “Hey Sue, I hope you’re enjoying the Caribbean,” before asking for sensitive account information details. Believing her accounting head knew of her vacation through work channels, Sue’s more likely to fall for the social engineering scam, when in reality, it was an easily personalized line made possible by the culprit finding Sue’s social media posts about her trip. When cybercriminals are pretending to be someone else, any small detail gleaned from social media oversharing could make the difference in convincing the target they’re dealing with a trusted contact.
Solutions for Oversharing
- Establish Clear Policies: Organizations should develop comprehensive social media and confidentiality policies that clearly outline what employees can and cannot share online, especially regarding work-related information. NDAs can legally bind employees to confidentiality, making them more cautious about what they share online.
- Training and Education: Regular training sessions can help employees understand the risks of oversharing online and the importance of maintaining professional boundaries. Assisting employees in understanding and maintaining the boundary between their professional and personal online personas can reduce oversharing.
Common Employee Mistake 3: Using Device Defaults and Settings
Every employee endpoint device represents a potential attack vector for cybercriminals. Laptops, smartphones, tablets, and even connected Internet of Things (IoT) devices can offer bad actors routes to hack into an organization’s networks and systems. Many standard device configurations are well-documented online, and cybercriminals can exploit unpatched devices, out-of-date software, or default passwords.
Bring-your-own-device (BYOD) policies also introduce cyber risk in an organization. Kaspersky’s research says over half of all businesses (54 percent) have had data exposed because employees have lost the personal devices that they use for work. The more organizations allow employees to access sensitive data on personal devices outside of the work environment, the more at risk the organization and its data become.
Solutions for Employee Device Risks
- Educate Employees: Conduct regular cybersecurity training sessions to inform employees of the risks associated with default settings and the importance of maintaining proper device configurations. Teach them to do the following:
- Change Default Credentials: Change default usernames and passwords to strong, unique credentials.
- Configure Security Settings: Review and adjust the device’s security settings to enhance protection. Disable unnecessary service firewalls and configure privacy settings to limit data sharing.
- Enable Encryption: Ensure device encryption is enabled to protect the stored data. Encryption is especially important for mobile devices and laptops, which are more susceptible to theft or loss.
- Update and Install Patches Regularly: Keep the device’s operating system and all installed software current. Regular updates often include patches for security vulnerabilities that attackers could exploit.
- Disable Remote Access: If remote access is not needed, deactivate it. If remote access is essential, secure it with strong passwords, two-factor authentication, and other security measures.
- Implement Device Management Policies: Use device management tools and policies to enforce security settings and configurations across all company devices. Your policy may include requiring encryption, mandating password changes, and ensuring timely software updates.
Find Resources for Your Team at RAMPxchange
Setting a good example in cybersecurity leadership begins by partnering with providers who can train employees in best practices to ensure they don’t expose themselves or the organization to unnecessary risk. Empowering employees through education—plus frequent reminders for password changes or software updates—can help drastically reduce the human error and risky behaviors that often lead to breaches and successful cyberattacks. Contact a RAMPxchange marketplace representative today to learn more.