When it comes to taking showers, brushing one’s teeth and maintaining health through cleanliness, one of the most effective ways we can protect ourselves and others from illness is good personal hygiene. Same goes for protecting ourselves and others online through cyber hygiene. The most effective way to protect ourselves and others from cyberattacks is by implementing good habits of cyber hygiene.
With so much of our lives digitally available, you would think individuals are placing a premium on protecting their most sensitive information. But when dealing with cyber hygiene, most people are not as diligent as they should be.
From end users in any department at your organization to your IT manager, today, everyone makes security mistakes that have the potential to put data at risk. In part one of this two-part series, we’ll discuss the common mistakes made by end users within an organization. In the next installment, we’ll tackle the same topic from an IT manager’s point-of-view.
1. Employing Crappy Passwords
One mistake that end users in your organization consistently make is choosing a poor password. We’ve all heard of people using “12345,” “password” or some other easily guessed secret word or phrase to gain admission. But when users employ multiple passwords that are not complex enough, they expose themselves to the risk of brute force attacks.
In order to be difficult to guess, passwords should include a combination of capital and lowercase letters, numbers, and symbols — and they should be changed frequently. The shorter and simpler the password, the faster a hacker will guess it. But when creating a complex password, it should be stored somewhere safe like LastPass — not on a sticky note stuck to your computer monitor.
Password security can be difficult — and not because selecting a strong password is a challenge (there are hundreds of online password generators out there). Instead, password security can be difficult because it’s inconvenient. In the interest of convenience, end users often recycle the same password across numerous accounts and platforms or use the same password for years on end. With daily cyberattacks proliferating at a rate more rapid than ever, password age, complexity and length are critically important.
2. Opening Email Attachments from People They Aren’t Familiar With
We’ve all heard of that unfortunate Nigerian prince who just can’t access his money at the moment, but he has your email address, and if you send him a certain amount of cash, he’ll reimburse you — and then some! The email scam has lasted in various forms for decades, but people don’t actually fall for this, do they?
Actually, yes. Users open email attachments before thinking all of the time. However, end users need to be more careful about opening notes or files — even from people they think they “know.” In fact, the FBI points to a recent increase in the volume of business email compromise scams hitting enterprises that purport to be from the CEO, CFO or another top executive inside the target company. These scams usually say something to the effect of, “funds need to be transferred immediately to an outside account,” and come from a spoofed sender that appears as company leadership. Losses from these types of schemes have hit $2.3 billion.
Phishing emails are designed to look like legitimate messages from actual banks, businesses and other organizations, but they are actually from cybercriminals attempting to pilfer your money, identity or both. End users should ensure the email has proper spelling and grammar, that the linked URL is the same as the one shown, that it does not ask for immediate action and that it does not request their personal information before clicking on a link.
3. Stolen or Misused Data
In most cases, it’s an end users’ negligence or a mistake that leads to breaches. In fact, the Experian 2015 Second Annual Data Breach Forecast suggests that employee mistakes will be a top threat to companies, but sometimes, company insiders simply steal sensitive data.
The most effective strategy is to limit risk by only giving users access to the data they need to effectively do their jobs. Instead of reacting after sensitive data is stolen, organizations should take proactive steps to mitigate the risk of insider data theft, including establishing an adequate use policy, training employees on that use policy, removing temptation, providing a way for employees to easily report suspicious activities and staying vigilant, especially when employees leave the company. Today, many former employees are still able to use old usernames and passwords from jobs they’ve left to gain access to sensitive information such as price lists, customer data, and product plans.
Making matters worse, users mishandle company information all the time. Whether emailing a sensitive document to a personal machine at home, asking an administrative assistant at a client’s office to print out a document or leaving sensitive information on computers, fax machines and scanners that have little or no password protection, mishandled data can lead to a substantial breach.
4. Using Unprotected Personal Devices
While the proliferation of BYOD policies has helped improve morale and productivity among workers, users don’t consider the consequences of loading sensitive data onto personal smartphones and bringing it with them wherever they go. And many users aren’t even taking basic security steps with their devices. Consequently, it’s important for IT departments to create policies and ensure they’re being enforced before devices are granted access to the network. In addition, people often don’t take precautions when they dispose of an old device that was once tethered to their company’s network.
5. Using Outdated Software
Unfortunately, many cyberattacks target vulnerabilities that have been patched for months or even years because hackers and bad actors know that many systems are running outdated versions of software.
In fact, “A Growing Risk Ignored: Critical Updates” revealed that more than 2,000 organizations run more than half of their computers on outdated versions of an operating system, making them almost three times as likely to experience a publicly disclosed breach. Additionally, the report revealed that more than 8,500 organizations have over 50 percent of their computers running an out-of-date version of an internet browser, which doubles their chances of being breached.
Regrettably, end users often see notifications that updates are available, but do nothing because they’re too busy or concerned about installing software on their own. But procrastinating on installing necessary updates (for programs like Windows, Java, Flash, and Office) is a misstep that can help cybercriminals gain access to a company’s system.
Many common vulnerabilities are easy to find and relatively simple for hackers and bad actors to exploit because of insecure programming practices, and the lack of patch configuration and maintenance opens the door for breaches ranging from ransomware to data disclosure attacks. Delayed patching is a risky proposition. Consequently, the need for a fast and effective vulnerability patching solution has never been greater.
Enter Automox’s easy-to-install, cloud-based, automated patching solution. Our lightweight agent allows IT professionals to control their level of patch management automation, flow processes, and configuration enforcement, all from a single dashboard, and the platform can patch any system and any software in any location.
With no endpoint limit, no credit card required to sign up, and a trial that includes complete access to the state-of-the-art platform, try Automox to better protect your end users today. While automated patch management can reduce the potential for a breach, mistakes still happen. But with Automox, you don’t have to worry about your end users opening massive security holes by running outdated software. Stay tuned as we delve into the mistakes most often made by IT managers that have the potential to put company data at risk.
Automox is a cloud-based patch management and endpoint protection platform that provides the foundation for a strong security framework by automating the fundamentals of security hygiene to reduce a company’s attack surface by over 80 percent. A powerful set of user-defined controls enables IT managers to filter and report on the vulnerability status of their infrastructure and intuitively manage cross-platform OS patching, third party patching, software deployment, and configuration management. To sign up for a free, 15-day trial of Automox’s cloud-based, automated patch management solution, visit www.automox.com/signup.