A study shows that employees are the weakest link when it comes to cybersecurity. Around 31 percent of employees reportedly committed errors that have adverse cybersecurity consequences. These errors include falling victim to scams, clicking suspicious links, downloading unsafe files, losing work devices, and sharing passwords with colleagues.
Security pundits have repeatedly pointed out this human weakness in cybersecurity, but it seems overcoming it remains to be a tall order. Needless to say, organizations need to exert more effort and strategic actions in addressing this problem. A good start would be to identify common workplace habits that tend to
Refusing to regularly and promptly update software
Regular software updates are among the staples of cybersecurity guidelines. Users of computers and other software-driven devices are advised to promptly apply updates or patches whenever they are available. However, many employees have the habit of putting off these updates, usually because they are viewed as interruptions.
Software updates are crucial not only because they provide new features and functions. More importantly, they are provided to address security issues or newly discovered vulnerabilities. Refusing to apply updates can put devices at serious risk, as non-updated devices are likely to be incapable of detecting and mitigating sophisticated cyber attacks that target recently discovered vulnerabilities in operating systems and applications.
Over-reliance on built-in cybersecurity tools
Most operating systems readily come with their own cybersecurity solutions. Microsoft Windows, for example, has Windows Defender while MacOS has XProtect. These are capable security tools, but they are not enough when addressing cyber threats that target business IT systems, online accounts, and cloud resources.
The cyber defense tools that are bundled with OSes may come with regularly updated threat databases to detect malware and other attacks. However, they do not have the means to address aggressive and coordinated attacks like phishing and malicious software coursed through software supply chains. It is advisable to employ cybersecurity solutions that comprehensively address risks and not solely rely on the tools installed in specific devices.
It is particularly important for newly established companies to take cyber threats seriously and not settle with built-in and “free” security tools. There are many good open-source security solutions worth trying, but it is advisable to invest time and effort in finding the best open-source tools or to spend on proven enterprise-level cyber defense.
Bring Your Own Device practices
Around 8 in 10 organizations worldwide have a Bring Your Own Device (BYOD) program, which allows employees to use their own computers or devices for work purposes. BYOD provides a number of advantages, especially for startups, as it reduces capital expenditure for office equipment while giving employees the option to use the devices they are comfortable with. However, it also poses major risks.
For one, BYOD devices are difficult to oversee. They can cause security visibility problems with some units connecting to the company network without oversight. This can lead to devices possibly bringing in malicious software into the network, infecting other devices. Also, BYOD devices can be instrumental to data leakages and unauthorized access to company resources.
Even without ill intent, these devices can also be problematic because they pose risks associated with data intermingling, lack of control, and possible compliance concerns. Lost BYOD devices can fall in the hands of crafty cybercriminals who can unlock passwords and expose sensitive information and accounts in these devices.
Weak access controls
Access controls are among the vital aspects of cybersecurity. Unfortunately, many unsafe practices regarding access control have persisted until now. The use of default and weak passwords is still common, especially when dealing with multiple accounts or resource dashboards. Many organizations do not practice regular compulsory password changes. Web app users have a habit of saving their login credentials in web browsers that do not encrypt their sensitive information. Additionally, there are still organizations that do not require multi-factor authentication for logins.
There are also issues in the way organizations manage their IT resources. For example, there are companies that fail to deactivate accounts that are no longer being used or those assigned to employees who have already resigned or retired. These open active accounts can pose risks of unauthorized access and should be deactivated immediately. Also, some organizations do not regulate the access privileges they grant to users and have poor logging and monitoring mechanisms. It is advisable to adopt the principles of least privilege and zero-trust security to minimize access vulnerabilities.
Problematic data encryption
Most organizations encrypt their sensitive data. However, the problem is that they have misguided encryption policies and poorly designed encryption-decryption mechanisms. Some overuse encryption to the point that it negatively affects system performance and operational efficiency. On the other hand, there are those that have difficulties managing their encryption-decryption keys and other secrets, especially when implementing relatively new systems like Infrastructure-as-Code (IaC).
Encryption is a pillar of cybersecurity. Using it does not automatically result in security benefits. It has to be used properly, largely by selecting the encryption methods and algorithms that best suit the needs of an organization. Encryption has to be balanced with performance and resource consumption to make sure it yields advantages–not generate unnecessary overhead.
Not paying attention to physical security
The abundance of CCTVs in an establishment does not equate to adequate physical security. This is something organizations should be mindful of. There are many aspects of physical security, and visibility is just one of them. It is important to have clearly laid out rules and processes for physically accessing IT equipment. Computers, servers, and other hardware should be in a room that can be secured reasonably.
Additionally, it would be safer if workstations are secured physically like not having open USB slots or ports through which employees can insert devices without requiring authorization. Nobody should be allowed to replace or tinker with accessories like keyboards and mice without supervision. These devices can be hacked to enable keylogging and other malicious purposes.
Failing to engage employees in the cybersecurity strategy
There have been no recent studies on the prevalence of cybersecurity training, but it is safe to say that a big majority of companies already have cybersecurity education programs for their employees. However, the problem is that employees may still end up violating cybersecurity guidelines and processes. A Harvard Business Review study suggests that security policy violations are usually caused by stress, not by malicious intentions.
Often, employee-driven obstacles to cybersecurity strategies are attributable to the failure to convince employees to actively and willingly take part in addressing cyber threats. They feel they are just being directed, so they do not have a sense of ownership of the strategy or effort in combating cyber attacks. Aside from cybersecurity education, it is also important to engage employees in the cybersecurity strategy.
In conclusion
The fight against cyber attacks cannot be won with tools alone. It is equally important to establish a culture of resistance against threats including vigilance in identifying and mitigating risks and attacks. This can be done through no-brainer steps that many organizations still fail to undertake. In summary, organizations should emphasize the need for software updating, rigorous regulation of BYOD devices, strong access controls, proper encryption implementation, physical security over IT equipment, and employee engagement in the organization’s cybersecurity efforts.
