Employee Habits that Threaten Your Cybersecurity

5 Employee Habits That Threaten Your Cybersecurity: What to Do About It?


By now you are already familiar with the SolarWinds Hack. Microsoft president described it as the largest and most sophisticated attack the world has ever seen. And it’s hard not to agree when the attack continues to be a threat almost a year after it happened.

By injecting malware into a popular SolarWinds product, attackers were able to infiltrate the systems of over 18,000 organizations that were using the said product including 9 US government agencies.

But, here is the sad part. According to reports from CISA, a weak password may have helped the attackers gain access to the SolarWinds systems. Their investigation revealed that one of the SolarWinds file servers had ‘Solarwinds123’ as its login password.

It would take less than 5 attempts for a cyber attacker to guess this password. They don’t even need to use a cracking software.

And that forms the basis of our post today. A lot of times organizations focus on sophisticated threat detection and prevention measures but then end up neglecting the basics like employee training.

Due to a lack of cybersecurity awareness, employees end up engaging in practices that seem harmless to them but are a big threat to your cyber defences.

Here are 5 common ways your employees may compromise your organization’s cybersecurity and what you can do about it.



1.   Poor password practices


We’ve already established that using an easy to guess password is one way to compromise security in your business.

Another mistake that employees make is to use the same password for multiple accounts. That is dangerous because if the login credentials for one account are leaked they can be used to access all the other accounts.

Solution – Have your employees adhere to the set password security best practices. These include not using easily guessable passwords and limiting password length to at least 9 characters. Employees should also have unique passwords for each account and set up multi-factor authentication if it’s available.

Alternatively, you can recommend that your employees use a password manager which will generate strong and unique passwords for each of their accounts. The password manager will automatically fill in the password field when prompted, eliminating your employees’ need to memorize the password.



2.   Personal browsing and downloads


It’s not uncommon for employees to use company devices for personal use. Unfortunately, some of the sites they visit may lead to cyber-attacks on the company. For instance, if an employee uses the office WiFi to download torrent files, they could end up downloading malware into the office network.

Solution – A common method that organizations use to curb the use of office devices for personal reasons is website blacklisting.

However, this method is limited in its effectiveness because you can’t cover all the sites that need to be blocked. A more effective method would be whitelisting only the websites needed for company operations. It’s more complex and time-consuming but it’s worth the effort.



3.   Use of public WiFi for business


This is especially a problem now that working from home has become a thing. But the problem with your employee using the WiFi at their local coffee shop for work is that the network is not encrypted.

A cybercriminal can easily steal sensitive company information by intercepting the traffic that is being sent from the employee’s device to the public router.

Solution – Warn your employees against using public hotspots for business. And if they have to, make sure they are using a Virtual Private Network (VPN) to encrypt their traffic.



4.   Unprotected company data on personal devices


If your company allows employees to bring and use their personal devices to work, that’s an additional attack vector. Chances are the employee’s device does not have the same security defences as those on your company devices and can consequently be exploited by cyber attackers to steal sensitive company files and information.

Solution – Vet all personal devices that are allowed into your company to ensure they have the right security defences such as encryption and anti-malware programs.



5.   Phishing scams


Another common way untrained employees could compromise cybersecurity in your business is by falling for phishing scams. How this works is that cybercriminals pose as a legitimate entity that your employee normally interacts with and tricks them into performing a compromising action.

For instance, an attacker may send an email to HR that seems to come from the CEO requesting that they share some sensitive information. Or, they could contact an accountant posing as a supplier and request that their payment is released.

Phishing scams could also be emails with malicious attachments that once clicked download malware into the company network.

Solution – Teach your employees how to recognize phishing scams. Some signs to watch out for grammar errors on emails, unsolicited links and attachments, and offers that seem too good to be true.

Most of these scams will also have a sense of urgency that’s abnormal. Do this in the next three hours or else there will be consequences. The aim is to scare the employee into acting irrationally.



We can help minimize employee threats to your business


What we have covered in this post are just the basics. To ensure complete effectiveness, you will need an experienced professional to take a deeper dive into each one of them as well as explore additional threats that may be specific to your industry.

That’s where we come in. Apart from offering comprehensive training on best cybersecurity practices, we will also simulate real-life attacks to test your employees’ preparedness.

We will also help you come up with a cybersecurity strategy that protects your business not just from employee threats but also other forms of attacks such as supply chain attacks.

Our job is to streamline the cybersecurity aspect of your business so that you can focus on providing better products and services to your customers.


You May also Like…

Data Privacy vs Data Security

Data privacy and data security are two terms that often overlap in their meaning but they are two different concepts.    If you are an organization entrusted with sensitive data, you can’t...

read more