As your organization grows in size, the more challenging it is to ensure the security of your company’s sensitive information and internal data. A major information leak can drastically impact your firm’s reputation and overall integrity — especially if personally identifiable information about your customers is leaked. The Ponemon Institute’s 2016 Cost of Data Breach Study found that the global average total cost of a data breach is $4 million USD, up 29% since 2013.
Here are some of the most common IT security errors you and your employees are probably making:
- Weak Passwords & Password Reuse
123456? Password? Qwerty? Football? Do any of these look familiar? These are some of the top most commonly used passwords. Yes, it can be a pain to remember all those different passwords for every different application and account, but a weak password is one of the easiest ways a malicious user can leverage to steal sensitive company data.
Password reuse is another a major issue. Employees will often reuse the same password across all applications simply out of convenience. What they don’t anticipate is that it only takes one compromised password for a malicious user to gain access into all their accounts.
To mitigate against bad passwords, use a memorable passphrase mixed with numbers and symbols to meet password length and complexity requirements. Chocolatecak3saretheBEST! Even better, use a password generator to randomly create a password for each application and leverage 2-factor authentication wherever possible.
Open source, free password managers such as KeePass includes a built-in tool to generate random passwords and stores them securely as well, so you never have to remember a password again. Read this guide for more tips on how you can improve your password habits.
2. Insecure Mobile devices
Out of convenience, many people do not protect their mobile devices with a PIN or a password. This is one the quickest ways a malicious user can gain access to your mobile device and confidential data within. You should set a 4 to 6 digit password on all mobile devices and be particularly vigilant about mobile devices with access to corporate data and email.
Devices connected to corporate data should be enrolled in a bring-your-own-device (BYOD) or other device management policy. This allows an IT administrator to enforce password complexity, device encryption and other security settings. This also allows for IT administrators to perform remote data wipes in the event that an employee loses their device.
Mobile devices should also stay updated with the latest security patches. Although it can take time for software updates to be installed, you and your employees will be thankful you took the time to perform the installation when an intruder fails to utilize an old vulnerability to hack into the mobile device.
3. Being Tricked by Phishing Emails
Phishing emails are a form of social engineering which employees often fall for due to their official-looking nature. Typically, a recipient will receive an email from an attacker (known as a “phisher”) that at first glance appears to come from a legitimate business such as a bank or a credit card company.
The email usually requests the target recipient to verify some information or informs the recipient that they’ve received a critical notice in their online account. A link will be provided in the email which, when clicked, directs the recipient to a web page that appears entirely legitimate, complete with company logos and content. It is usually a login page requesting the recipient’s username and password or some other form that requires the recipient to enter private information. Once the data is input and “submitted”, the form may display a submission error or may not seem to take the user anywhere further; this is the moment when the recipient may finally realise that they’ve become a victim of phishing — but by now, it’s too late.
It is important for you and your employees to recognize phishing emails up front and not be tricked by them. Take a closer look at the email address from where the email is being sent from. Check the legitimacy of the URL where you’re being asked to “log in” or “verify” information. Know that your bank and credit card company will never ask for verification of personal data via an online form.
4. Being Unaware of Other Forms of Social Engineering
Other forms of social engineering outside phishing emails do exist. In general, social engineering is when someone is manipulated into divulging confidential information, sharing system access, or physical office access as part of a fraudulent scheme. Social engineering most commonly occurs via phone calls or text message. However, in-person social engineering can happen as well, for example, criminals pretending to be exterminators, fire marshals or technicians sneaking into offices unnoticed as they attempt to steal sensitive information.
It is important for employees to understand what social engineering is and be able to recognize it when it happens so they do not share sensitive information, system access, or physical office access with a criminal who is posing as an authorized person — whether the malicious person calls, texts, or shows up in person.
5. Accidentally Distributing Sensitive Information to Unauthorized Users
With the pervasiveness of the internet and the ease at which emails can be forwarded in just a few clicks almost instantly from desktop and mobile devices, the risk of your employees inadvertently distributing sensitive information and corporate documents to unauthorized users is very high. It is quick and easy for employees to transfer files onto personal cloud accounts (Google Drive, Dropbox, Apple iCloud, MSFT OneDrive) or onto portable flash drives and external hard drives they can physically carry around (or misplace!). Confidential content may also be innocently printed and left lying around desks, printer rooms, or in recycling bins. Even simply unlocked computers when an employee pops out for a lunch break poses a threat for data breach.
It is important for employees to understand that they are responsible and accountable for the security of corporate and client information. Printed materials that are confidential should be securely stored or shredded if no longer required. Sensitive documents should only be sent to authorized users under encrypted methods and sent with an encrypted password separately to open the document. Such documents should not be forwarded or copied to unauthorized users. Give employee guidelines on what they should and should not copy onto personal hard drives or personal cloud accounts, and encourage them to lock their computer whenever they take a coffee break.
At Security Compass, we’ve even established a company-wide gamification culture as a solution, by encouraging employees to prank colleagues who carelessly left their computer unlocked in an embarrassing but friendly manner — akin to mortifying Facebook status updates posted on accounts that aren’t logged out.
These are just a few information security errors which you or your employees are probably making right now, risking your company’s reputation and overall integrity. But don’t worry — there are methods to mitigate this.
The best way to proactively defend against these risks is to educate yourself and your employees — so that everyone is aware of the risks, can recognize the threats, and ensure that their actions, however innocent, do not compromise the integrity of company secrets.
A surefire way to educate yourself and your employees even if you’re not security professionals is to undergo general security awareness training. Incorporating security awareness training into every new employee’s onboarding period ensures that your company’s confidential data is secure from the start, potentially saving your company millions of dollars in the long run.