Security 101: 4 Human Errors that Threaten Cybersecurity
The accusations of cyber tampering surrounding the 2016 elections has resulted in dozens of news articles about hacking and the vulnerabilities in voting equipment and voter registration systems. While malicious activity is a challenge for IT managers in any industry, a 2015 CompTIA IT Security Study showed that simple human error is also a serious threat to the integrity of an organization. Failure to follow policies and procedure rates as the number one human error, followed by general carelessness in second place. This carelessness is usually born out of choosing convenience over security best-practices.
Here are 4 mistakes regularly made by a company’s own employees, with simple preventative measures that you can apply immediately.
Using unsecured laptops or mobile devices
Company-, state- or county-owned equipment should always be password protected and have tracking and wiping software. Unfortunately, this is not always the case. Whether there is no process or protocol for installing these protections in the first place, or if it is disabled by an employee for the sake of convenience, unsecured devices being lost or stolen is a dangerous cyber security threat. After all, hacking a server is much harder than stealing a laptop.
Solution: Apply a Mobile Device Management solution to manage and secure equipment.
Choosing Password Convenience over Security
Another significant human error includes the use of default usernames and passwords, or easy-to-guess passwords. Using the same passwords for multiple accounts, and changing them only by one character when they expire is also common practice (we’ve all been there!). Security can easily be improved by using multi-factor authentication, where primary authentication relies on something that you know (i.e. a password), and additional factors use something you have, such as a physical device to protect systems from unauthorized remote access. For voter registration administrators who have to access multiple databases every day, an IT department may recommend the use of a password manager service.
Solution: Follow NIST guidelines for password strength, and recommend a company-vetted password manager.
Sharing sensitive information via incorrect email address
Another common tradeoff between convenience and security is with the auto population of an email address. You’ve emailed this person many times before, but this time someone with a similar email address pops up instead, and you inadvertently send sensitive data to the wrong person.
Solution: For the most secure solution, use encryption applications that require the recipient to log-in to receive data, reducing the chances of the wrong person gaining access. Establish protocols and train staff regularly on security awareness.
Opening infected attachments or clicking on unsafe URLs
Phishing emails designed to gain access to your account password are very common, and usually they are easy to identify with some basic training. The email address may have odd characters or an incorrect domain, or the text in the body of the email is oddly phrased. (When you are a Mrs. and the salutation reads “Dear Sir,” it’s a sure sign to delete!) Similar rules apply to emails containing attachments that end up being malware.
Solution: Set organizational rules to block and filter the majority of these types of messages. Train employees on common signs of phishing.
All the issues mentioned above can be mitigated through strong adherence to following proper procedures, and a proactive IT department who collaborates with staff to find the proper balance between security and convenience.