Oct 17, 2016
Not all security breaches happen because of malicious intent. Some of the most common security issues are caused by bad habits ingrained in employees’ day-to-day routines. Thankfully, these potential threats and vulnerabilities are possible to reduce, by improving organisation-wide awareness of the most common information security mistakes.
1) Using Insecure Devices for Work
Organisations have no control over the applications and security measures installed on an employee-owned device. With the prevalence of Bring Your Own Device (BYOD) growing year-on-year, devices are increasingly being connected to company networks, and used to access sensitive information. In doing so, employees can bypass the majority of your organisation’s security measures, and introduce insecure applications into the company network – creating a host of serious vulnerabilities for malicious third parties to exploit. These risks can be mitigated by developing a BYOD policy, and ensuring minimum standards of security are adhered to across all devices connected to the company network.
2) Poor Mobile Security
Any devices that are able to remotely access a corporate network are capable of introducing information security vulnerabilities. It’s important to ensure that all mobile access to sensitive information is protected by end-to-end encryption, and that secure data isn’t stored locally on the device. Basic security measures, like security PINs, will prevent unauthorised access in the event of theft or loss.
3) Using Weak Passwords
Password protection is one of the most commonly used security tools available, and a strong, randomly-generated password can be an effective deterrent against attack. Unfortunately, many employees will neglect to change default passwords, or will replace them with easy-to-guess words. Common choices like 123456 and password will take seconds for an attacker to guess; and if your organisation uses a single sign-on system, or your employees use a single password across multiple systems, malicious parties will gain access to a lot of sensitive information. Thankfully, weak passwords are relatively easy to overcome, thanks to simple measures like two-factor authentication.
4) Printing Sensitive Information
With dozens of programs requiring separate passwords and login credentials, employees often rely on post-it notes, whiteboards and print outs to remember their passwords. Whilst this practice may seem harmless in an office full of in-house staff, there’s no way to monitor the actions and intentions of guests and after-hours visitors. Passwords should never be written down or printed-out, and whiteboards with sensitive information on need to be regularly erased. The same principles apply to other forms of sensitive data, including client details and customer payment information. If it’s essential to print out this type of information, ensure it’s stored under lock and key.
5) Poor Awareness of Social Engineering Attacks
Social engineering may sound like something out of a spy movie, but it’s a very real problem for large organisations. Malicious parties can gain access to sensitive information through simple manipulation tactics. Common strategies include hijacking employee social media accounts, making phone calls claiming to be a colleague or client, and even gaining access to premises using sheer power of persuasion. Each of these tactics can be foiled by vigilance.
6) Falling for Phishing
Phishing attacks have a lot of parallels with social engineering attacks – using emails from apparently trusted sources, and creating fake webpages and login portals, to encourage employees to part with user credentials. As with social engineering, vigilance is the most powerful defence against phishing. Train employees to only engage with links and attachments that come from a trusted sender, and are in-character with the type of material they’d normally share. It’s also good practice to encourage users to check the URL of a webpage before entering any login details.
7) Granting Unnecessary User Privileges
Simply put, the fewer employees have access to sensitive information, the lower the risk of security breach. Whilst restricting data privileges may generate an increased need for case-by-case access approval, doing so will make it much easier for security teams to monitor and log all instances of secure data access – a crucial component in preventing and surviving an information security breach.
8) Intentionally Disabling Security Features
Some employees may view security measures as being detrimental to usability. If these users have administrative privileges, crucial security systems may end up paused or disabled, with potentially disastrous consequences for the entire network. Aside from limiting the availability of administrative privileges, it’s important to educate users about the importance of all security measures. eLearning courses can help users engage with security measures on their own terms, and prevent usability conflicts from arising.
9) Unauthorised Application Use
With a huge selection of productivity-enhancing tools and software available, employees will sometimes choose to install and use non-approved software on the corporate network. Shadow IT practices like these make it extremely hard for IT departments to monitor application usage, and identify and remedy potential threats – and even something as innocuous as hosting work information on a private DropBox account can introduce serious security risks. If employees are showing a need for additional applications, listen to their needs, and try to find a secure IT-approved application to roll-out across the organisation.