With security awareness training only just creeping up on businesses, end users are still way behind when it comes modern cyber threats. They're still making the same old mistakes - but what are they? Here's a list of our top 5 mistakes that your employees are still guilty of on a daily basis.
The repercussions of bad cyber security practice seem to be staring us all in the face a lot more in recent times, especially with the publicity of recent breaches. But it isn't just powerhouse organisations such as Google, PayPal and the NHS that are feeling the burden -- companies of all sizes are still holding the door wide open to potential attacks.
With GDPR now in place its crucial for everyone in a business to understand the cyber risks and how they can reduce them, after all you are dealing with valuable data.
It's more important than ever to ensure that all end users are made aware of what their actions (or lack of) could result in for the business. From CEO to lower level employees, simple cyber security mishaps are taking place at all levels.
So, we've picked 5 of the most basic and most common mistakes your users are making day-in, day-out...
#1. They trust emails too much
No matter how old or how simple a social engineering trick might be, there's always a number of people who can/will fall victim to the scam. There can be a number of reasons as to why this is -- from an employee powering through a mountain of emails, to someone never having received awareness training around such security risks. Partner this with the fact that scams (such as phishing) are becoming much more sophisticated and cunning, then the issue of employees failing to question the emails they receive can become a significant problem for a business.
The reality is, more employees should be encouraged to question the emails they're getting. Of course, putting every email that pops into our inbox under a microscope isn't the answer. But there are telltale signs that can be spotted in fraudulent emails and messages, and if the end user is able to spot them, then your human firewall can boast some added strength.
*Added Bonus* Want to boost your employee's security awareness for free? Download our free GDPR and Security Awareness posters today!
#2. "It would never happen to me anyway!"
When it comes to cyber security, one of the most common misconceptions that many users have is that technology keeps us fully out of harm's way. Of course, IT security is vital for businesses, but it will never offer a full level of security. There's also the mindset of "a hacker wouldn't target us" -- which is a scary thing to hear from IT leaders and it couldn't be further from the truth.
But with spear-phishing taking aim at the C-suite, and mass-automated phishing attacks targeting any user unwittingly ready to take the bait, the simple fact is, everyone is a target. This level of complacency provides some added worries as most employees actually have much more company-sensitive information stored away than they realise.
It's important to raise awareness of the fact that we all have valuable company data, and that cyber criminals don't discriminate towards job roles and functions. Add to that the possibility of opening a gateway for ransomware, then company, operations, reputation, and finances, really are at risk with any employees actions.
"Entertainment, social media, and rewards/ recognition were the largest motivators for successful phishing attempts against business employees" ( https://www.comparitech.com/blog/vpn-privacy/phishing-statistics-facts/)
#3. "ANOTHER software update?!"
Perhaps it's down to cyber security fatigue, but many of us seem to shun notifications of software updates with a heavy sigh. After all, whether we're on our laptop, desktop or mobile, our needy apps and devices always seem to require our attention. But there is a wide failure of understanding just how big the risks are of not updating our devices, especially during work.
Failing to update our software leaves the door wide open to attackers looking to take advantage of out-of-date flaws. Look at the recent WannaCry Ransomware attack on the NHS, and you have a perfect example of the kind of risks that come with not properly configuring automatic operating system updates for all PCs.
"80 % of all attacks involve a weak or stolen password."
#4 Their passwords are weak
The days of people writing passwords on post-it notes is hopefully more of a thing of the past than it is the present. But with the average person now needing 22 separate passwords in their combined professional and personal life -- our heads are scrambled. That's one reason why so many users are repeating the same old password on multiple sites and devices. Not only are they repeated, but they tend to be more generic and easy to guess passwords (123456 and qwerty spring to mind!).
For online criminals with access to huge computing power via the dark web, brute-forcing passwords are increasingly fast and easy. Good news is -- more web providers are forcing users to create more complex passwords. But for the ones that aren't, the use of a password manager can be a good way of avoiding repeated or easy to guess credentials.
#5. Social media isn't seen as a threat
Social media is one of the newer hunting grounds for cyber criminals (here are some of the main bad habits putting your company at risk), although it's gathered pace in good time. The modern mobile workforce means that workers everywhere are never too far away from glimpsing at their social accounts. But as much time as we spend on social media, most users fail to look after the security aspects of their accounts. In fact, a 2016 survey showed that 58% of people do not know how to update their privacy settings.
As with email, encourage users to check the authenticity of the sender and whether they look credible, as well as the message and the link (which will likely be shortened). Beware of trending hashtags too as many people are now using fake news to trap unsuspecting Twitter and Facebook users trying to catch-up with the "latest breaking news".
The list of cyber security threats are endless. Everyone in your business is a target, no matter their role. Making your employees aware of their mistakes is the first step, and the next is to mitigate those risks to prevent cyber attacks from occurring. If you want to gain more of an insight into your employees resilience to social engineering here we have a free risk assessment for you to try.
Here is an overview of the top 5 security mistakes your employees make on a daily basis: