82% of confirmed data breaches against organizations involved the human element, according to the latest Data Breach Investigations Report. This means that many security issues in the workplace could be avoided with protocols that take into account human error or internal malicious activity.
In fact, employee negligence is the main cause of data breaches, CNBC reported. Behaviors that lead to cybersecurity incidents include leaving devices unlocked, using weak passwords, and not updating devices.
Let’s dive deeper into the top five riskiest employee cybersecurity issues in the workplace.
If you’d first like to review the elements of a solid cybersecurity strategy, download Impact’s eBook: What Makes a Good Cybersecurity Defense for a Modern SMB?
1. Using Weak Passwords
The most commonly used passwords include “password,” “123456,” “qwerty,” and many others that users did not put much effort in creating. Employees often use birth dates, their children’s names, or similar personal information as passwords as well. However, using weak passwords is a security risk for businesses as well as individuals.
Malicious actors can use a dictionary attack—an attack that checks whether a user’s credentials make use of an easily guessable password—as one of their weapons to accomplish data breaches.
Preventing Weak Passwords
To avoid this security issue, schedule compulsory password resets for employee devices and accounts. These passwords should be at least 16 characters long, include numbers and symbols, and not be repeated across accounts.
Additionally, requiring your staff to use MFA will greatly decrease the chance of hacking through stolen credentials. MFA, or multifactor authentication, asks a user to prove they are who they claim to be through an additional method besides a password.
MFA can prevent over 99% of cyberattacks compromising accounts, according to Microsoft. Your employees can use various MFA methods such as codes sent via text or an authenticator app, fingerprint scans, or device notifications.
Watch an animated explainer on MFA and its benefits below:
2. Oversharing on Social Media
The information you or your employees share online can be used to deploy cyberattacks such as phishing or spear phishing.
With phishing, a malicious actor sends unsuspecting victims emails or messages pretending to be someone they may know, or a trusted entity such as a big corporation. These messages will ask the user to click malicious links, download malware files, share company data, or submit payments without the user suspecting the sender.
Spear fishing is a more targeted form of phishing, in which a customized email is sent to targeted individuals. The email is personalized to appear as if the sender is well-acquainted with the victim.
Only in 2022, 255 million phishing attacks were deployed. But how can cybercriminals craft emails that continue to trick users?
People often provide that information themselves on social media. Users sometimes share their age, location, common habits, details about company events, etc. without ensuring strict privacy settings.
Additionally, prompts such as “Your new name is your middle name plus your car’s brand,” or “Share the name of your first pet,” are designed to get information that can allow a bad actor to craft a personalized email.
Preventing Social Media Blunders
Employee cybersecurity training is the best weapon against phishing. When your employees understand phishing red flags, they will be less likely to click on malicious links.
To avoid phishing lures, double check the sender’s address and domain name. Hovering over any links to confirm where they lead can also help you avoid clicking malicious links.
Also, train your staff to be aware of what should and shouldn’t be shared online to others, especially if their social media accounts are visible to the general public.
3. Leaving Default Configurations on Devices
Most devices come with a manufacturer’s default configurations. These standard configurations are well documented on the Internet. Cybercriminals know and often share this information.
Whenever new device or software vulnerabilities are discovered, bad actors will also take the opportunity to exploit devices that do not have the corresponding patches.
One example of this is hackers using a default configuration to pretend to be a trusted server. Thus, they would be able to harvest credentials and later use them to hack into accounts, or to sell them to other cybercriminals.
Protecting Your Devices
Ensure your company devices are continuously updated so you can benefit from any security patches manufacturers release. If your employees work remotely, require scheduled updates to avoid leaving open vulnerabilities.
Check with your IT department or cybersecurity teams to ensure any default settings that could lead to a cyberattack are changed.
4. Using Default Passwords on Devices
Even worse than weak passwords, employees may leave Internet of things (IoT) devices with default passwords, not realizing they could be an entry point from the Internet. Such devices include printers, security cameras, switches, and network-attached storage (NAS), among increasing numbers of others.
These devices may seem of less value to cybercriminals than a computer. However, they can be one route into the network. Once inside an environment, hackers can easily access other areas and escalate their privileges.
For example, hackers can connect printers to a botnet. A botnet, which is a network of infected devices, can be then used to steal data and carry out ransomware attacks.
Preventing the Use of Default Passwords
Similar to preventing weak passwords, this risk can be avoided if password updates are scheduled regularly and if employees take advantage of MFA and good password hygiene.
Password hygiene practices include using longer passwords or passphrases, changing passwords often, and not reusing passwords for different sites or devices. These simple steps are great ways to keep a company secure.
5. Lack of Training
This cybersecurity issue is a leadership one. If your organization does not provide employees with much needed training, they may not be aware of the various pitfalls that can lead to a data breach.
Effective cybersecurity training is engaging and interactive. Your employees should learn risks and techniques relevant to their roles and be able to practice the skills that will protect the company’s devices and data.
Consider assigning leaders to advocate for good cybersecurity behaviors in the workplace. Consult with your IT or cybersecurity team to begin implementing a training program that can help every employee become more secure.
If these resources are not available to you, consider partnering with a cybersecurity provider that can train your employees and offer a strategy to protect your whole organization.
In Conclusion
Human error or negligence can lead to vulnerabilities and data breaches. Risky employee mistakes such as using weak passwords, sharing personal information in social media, and not updating devices can be easily avoided.
Training your employees or benefitting from cybersecurity services to create a program for your business can minimize risks and strengthen your overall cybersecurity standing.
To check whether your business has a strong cybersecurity posture, download Impact's eBook: What Makes a Good Cybersecurity Defense for a Modern SMB?