In most people’s heads, digital security often means putting bigger locks to keep the bad guys out. While this does help, it’s not the only thing that has to be addressed when creating an impenetrable defense against various online threats. Organizations aren’t only made up of routers, servers, and networks — there are also people.
Various reports confirm that employee negligence amounts to 84% of reported cyberattacks. Tricking a person is always easier and doesn’t require as much technical knowledge as spoofing an advanced security system, and hackers are well aware of it. One recent development that made hacker’s life easier is that people returning to various hybrid models have picked up many bad cybersecurity habits.
Let’s look deeper into employees’ most common bad habits: what they are and what can be done about them.
10 worst cybersecurity habits in the workplace
There are many ways in which employees can pose a risk to an organization from the inside. Here’s the list of the most frequent behaviors that could be threatening an organization’s cybersecurity.
1. Weak passwords
When prompted to change a password, 49% of employees only add a digit or change a character
73% of users use the same passwords for their personal and work accounts
59% of respondents reuse passwords despite knowing the risks
This year, hotel giant Marriott International suffered another data breach as hackers used credential-stuffing techniques to infiltrate two employees’ accounts. Hackers were able to collect data for a month before the breach was discovered. The data leak exposed the personal information of more than 5.2 million customers, including contact information.
Recommendations to create a strong password are something that almost everyone has heard but has chosen to ignore. The main problem is that people tend to prioritize convenience over security. Using a strong password is a hassle, and only some have the time to sit and think about the right combination that would be memorable, hard to crack, and unique.
Another problem that stems from weak passwords is their reuse. Due to the sheer number of companies that suffered a data breach, your employee personal account credentials and email combinations are likely being sold in the darknet marketplaces. It’s also highly likely that your employees are still using compromised passwords, and it wouldn’t be too far off to assume that some of them reuse these credentials for their work accounts. This is one of the risks that should be considered when developing an organization’s security outline.
Expert’s tip: while it’s impossible to force every employee to use a strong password, technological solutions can come in handy there. For instance, the password requirements could be modified to require a certain length and special characters. Then, it’s also a great idea to use features like two-factor authentication to make access to internal networks harder for intruders — it raises the threshold for entry.
2. Keeping data on personal devices
39% of employees access corporate data on personal devices
63% of employees have indicated that they brought data from their previous employer to their current employer
In 2019, McAfee filed a lawsuit against three former employees, accusing them of stealing trade secrets before starting a new position at a competitor. Employees were found to secretly email documents to themselves and used unauthorized USB devices to copy data in bulk.
Even though securing company data was challenging when all company devices were company-owned, this is even more difficult today. Bringing your own device has become the norm, but it also severely limits network administrator’s ability to manage risks. This has become extremely troublesome in terms of company data protection.
When it comes to business information, there are many opportunities for employee negligence, errors, or ill intentions. When company networks rapidly expand, and users connect with unsupervised devices, the security of the most sensitive pieces of information may seem almost impossible. It’s paramount to remember that threats may not always come from outside of your network perimeter.
Expert’s tip: data loss prevention software monitors, detects, and blocks sensitive data from leaving the company’s premises. This requires identifying the most sensitive files, monitoring their movement within the network, and denying actions that would put them outside the organization’s reach. Most DLP software also can block reading and writing to external devices like USB thumb drives.
3. Clicking before thinking
At least one person clicked a phishing link in around 86% of organizations
91% of all cyber attacks begin with a phishing email to an unexpected victim
Users successfully detect only 53% of phishing websites, even when primed to identify them
In November 2014, Sony Pictures top executives received phishing emails that appeared to be from Apple. They willingly provided ID verification emails on a bogus website that also captured their login credentials. Using this information, hackers obtained unrestricted access to private correspondences and then-unreleased movies. Their losses were estimated to be more than $100 million.
The fast-paced workplace environment doesn’t prepare your employees to stop and think before clicking. Proper judgment and caution must be trained, not all employees come naturally equipped with these skills. Naturally, some of the workforce could be oblivious to the dangers on the web. This is something that needs to be addressed on the company level until clicking on a link is no longer automatic action.
Especially when using email, each employee should take time to examine the “from” address and check for typos or other anomalies. Even when the sender is known, checking whether the link is safe before clicking on it is never a bad idea.
Expert’s tip: every member of your organization can click on the malicious link. Therefore, it’s important to ensure that some cybersecurity controls are in place. The cybersecurity team should be able to administer the available websites, i.e., don’t allow websites with security expired certificates or use DNS filters to block known malicious sites. As for the inbox, spam filters can also help clean up the received emails.
4. Leaving equipment unattended
A laptop is stolen every 53 seconds
80% of the cost of losing a laptop or device comes from data breaches
Lost devices caused 41% of all data breach events from 2005 through 2015
A British Petroleum employee lost a company-issued laptop during business travel. What made everything worse was that the laptop wasn’t encrypted and had no security. It also contained sensitive information on 13,000 individuals who claimed compensation after the oil spill in the Gulf of Mexico. This meant that the single laptop caused damage valued at $2.78 million.
While most companies require to protect work computers with a password, do your employees actually lock their screens when they leave their desks? Having password protection but leaving the computer unlocked equals not having a password. While this was a nasty habit in the office, this neglect can severely backfire when done in a public place. As employees are taking advantage of hybrid work models and working from anywhere, this means potentially huge risks to your organization.
Hackers frequently employ shoulder surfing and other methods to secretly obtain information while peeking over when their target is typing in their passwords and PINs. This allows them to obtain credentials without resorting to elaborate hacking techniques and can be virtually untraceable.
Expert’s tip: once your employee is in a public space, there’s always a risk of theft. Thieves could be motivated not by the data, but by the device itself. Encourage employees to lock their computer screens automatically and use encryption for the hard drives. Emphasize that a lost device will always be cheaper than a data breach.
5. Not taking cybersecurity as a personal responsibility
Only 19% of employees self-report the data breach
55% of SMB employees were likely to visit off-limit websites
The city of Calgary was sued for $92.9 million for a data breach that leaked data of more than 3,700 of its employees. The data breach was caused by an employee who sent confidential information like medical records, social security numbers, addresses, dates of birth, and income details to an employee in another municipality via email.
No matter how many technological solutions you add to shield the enterprise from hacker attempts, this can be worthless if you don’t promote a culture of healthy suspicion. Nowadays, it’s important to familiarize staff with what actions can be hazardous to the overall business. Yet, for this to make a difference, each employee has to take personal responsibility for data security.
Far too often, cybersecurity is regarded as only a problem of an IT department. However, the reality is that gross misconduct or negligence can bypass even the strongest technical defenses. It’s important that each employee’s mindset would be verified and then trusted. Maintaining a healthy level of skepticism and cautious company culture is a simple but effective foundation for better cybersecurity.
Expert’s tip: you may require a company-wide strategy to keep employees more engaged in cybersecurity matters. The important thing is to make cybersecurity part of employee onboarding and continuous responsibility. Positive encouragement always works much better than punishments — if an employee feels part of it, it’s much easier to take cybersecurity matters seriously.
6. Not securing the internet connection
1 in 3 employees don’t use VPN to connect when working from home
90% of IT decision-makers claim legacy systems are holding their companies back
In 2019, Lunar Spider and Wizard Spider cybercrime syndicates collaborated to commit man-in-the-middle attacks by conducting fraudulent bank transfers. Their solution was to infect web hosts and provide false SSL certificates peeling the security off layer by layer. Then, they would redirect web traffic and inject code to redirect users to malicious websites.
When employees work far from headquarters, IT administrators don’t have any control over their routers. This isn’t something every home user considers when buying a router, and even fewer have the technical knowledge to secure their equipment properly. The same risks also apply when connecting to public hotspots. It’s impossible to be 100% certain that the network is secure.
To make matters worse, this problem extends far beyond the routers and physical hardware. Even when provided with various secure connectivity setups, employees are still cutting various corners. One of the most common habits is not using a VPN and connecting without it. This means the exchanged traffic isn’t encrypted, so anyone on the same network could be siphoning confidential information without alerting anyone.
Expert’s tip: sometimes connecting to unsecured networks is unavoidable. The work resources should only be available using specific IP ranges and/or VPNs. That way, a habit forms to keep the VPN toggled on. It helps that some services provide an always-on VPN toggle or auto-connect when joining a new wifi network.
7. Lack of knowledge
61% of employees who have received cybersecurity training fail a basic test
58% of employees fail to define email threats
In 2015, Ubiquiti Networks Inc., an American network technology company, lost $46.7 million after failing to detect spear phishing emails. The attack was successful due to convincing impersonation targeting their finance department. Spoofed email addresses and lookalike domains with typos didn’t seem to be a setback for hackers.
Cybersecurity threats never stand still, they are always changing as it’s the only way to stay effective. This also means that knowledge about them should be regularly refreshed. Otherwise, it creates a false sense of security. It’s impossible to detect or prevent threats your employees have never even heard about, so keeping their education up to date should be one of the priorities.
Every quality IT security plan should always include a section dedicated to employee cybersecurity awareness. This allows you to construct a transparent IT policy that every single one of your employees would know. Cyber threats are the most dangerous when they exploit the gullibility of your employees, so the more they know, the more they will be resistant to various future attempts.
Expert’s tip: the only potential solution will be an investment in training. It’s always a good idea to analyze which route would be easier to go to third-party consultants or prepare the training internally. The training should be repeated periodically, as new joiners could miss out on the important aspects due to workplace dynamics. Similarly, veteran workers also need to refresh their memory about the latest cyber threats.
8. Indefinitely postponing software updates
80% of companies that were breached could have prevented it by patching up on time
34% of breached companies knew of the vulnerability but hadn’t taken action
In 2017 worldwide WannaCry cyberattack occurred, affecting computers using unpatched Microsoft Windows operating systems. The attack encrypted the files stored in the device’s hard drives and demanded ransom, threatening to delete the stored data. While the patch was released a month before the attack, WannaCry spread throughout organizations that failed to apply security updates timely. This affected organizations like Spanish mobile company Telefónica and thousands of NHS hospitals and surgeries across the UK.
Almost universally, update requests tend to be ignored, it’s one of the most common malpractices. The reason why it’s important is that the updates are usually rolled out to fix various vulnerabilities that are discovered in the software. This means that postponing means deliberately risking the security of the device. It could also escalate — if the employee isn’t careful, their endpoint could become easily compromised, opening the doors to hackers.
To put this in perspective, around 450,000 new malware variants are detected daily. Most of these use various vulnerabilities found in the most popular applications or operating systems. If the applications can’t be updated or they no longer receive security patches, it’s also a good idea to think about replacements to maintain a high organization’s security level.
Expert’s tip: some technological solutions can reach out a helping hand when combating outdated software. Device posture policies can outline what operating systems or application versions are allowed into the network. If the version isn’t the latest, it’s possible to deny the connection altogether, protecting the organization from the risks that outdated or vulnerable devices bring.
9. Confusing compliance with cybersecurity
37% of companies that said they are GDPR-ready experienced a data breach
For some certifications, only 29% of companies are compliant a year after validation
In 2020, Warner Music Group (WMG) suffered a cyberattack that leaked its customer’s personal and financial information. Although the company publicly announced the incident, it did not reveal the total scope of the attack or the affected users. It was reported that hackers accessed customers’ details from its various e-commerce websites. At the time of the attack, the company was fully compliant with PCI DSS standards.
One of the most frequent misconceptions about cybersecurity is that regulatory compliance will make the company unhackable. While it is true that being compliant helps to drive down data breach costs, it’s not the main purpose of the regulations. They exist to ensure that appropriate standards are kept when handling sensitive data, however, the actual application is left to the company, which can take many different forms.
Companies aren’t incentivized to push through beyond the bare minimum requirements if that’s enough to be certified. On the other hand, many companies are preparing for the audit intensely. Then after it’s passed, they focus on other areas. While from the outset, it seems like regulatory compliance strengthens the overall business resistance, it only takes into account a very narrow area. At the same time, the attack could come from a security gap that wasn’t even audited.
Expert’s tip: being compliant in whichever field usually means that you’re doing the bare minimum. Otherwise, it may not be related to security, for instance, when an audit evaluates the internal data handling procedures. For this reason, it’s important to look at achieving better security without aligning with regulatory requirements.
10. Plugging in unknown devices
48% of people do plug in USB drives found in parking lots
In 2020, US hospitality providers were targeted by the BadUSB attack. The attack happened after the company received an envelope containing a fake BestBuy gift card with a USB thumb drive. The hackers added a letter saying to plug in a USB thumb drive to learn what items could be bought with the gift card. However, the reality was that the thumb drive was infected with malware that functioned like an automated keyboard to launch various cyberattacks remotely.
Humans can be greedy and curious, so it’s easy to feel tempted to plug in a shiny USB thumb drive into your work computer to check what’s on it. This is something that hackers know fairly well, and they use this to their advantage, as leaving USB devices lying around the company premises is one of the most effective ways to penetrate the company.
That said, you shouldn’t only be cautious about USB thumb drives. Virtually any USB device’s microcontroller can be reprogrammed to turn it into a malicious device. This could include USB fans, toys, gadgets, and other accessories. There are growing reports of various infected charging stations cropping in coworking spaces and malls.
Expert’s tip: one simple solution would be to disable autorun functionality from USB devices on company-issued hardware. However, this also ties in with education and teaching them about the dangers of plugging unknown hardware into company devices.
What do the experts think?
Poor cybersecurity behavior in the workplace is something that industry professionals have to deal with constantly. Therefore, we asked them for their perspective on the current situation.
Information Security Manager at Nord Security, Sigita Jurkynaitė, emphasized social engineering as one of the most prominent attack vectors:
“From the beginning of last year, most cyberattacks were done via phishing. Based on the ENISA threat landscape, we expect the same tendencies to remain unchanged: ransomware, cryptoware, and malware will still be prevalent, and social engineering will be the main tool that hackers use to bypass organizations’ defenses.”
“The worst takeaway in such an environment would be to start treating your employees as the weakest link. That’s the opposite of what you should be doing, really, because treating your employees as partners and investing in their cybersecurity awareness can pay back tenfold. However, it shouldn’t be done just to have one-time checks. The process should be a continuous one — make it engaging and fun and avoid resorting to punishments if an employee fails the test.”
“The second component is that a strong technological shield is also needed. If it works effectively, this can be a great security mechanism preventing malicious links from landing in the user’s inboxes. Still, there is a pitfall in buying up all the latest tech and creating the illusion of safety. The secure processes help to achieve everlasting security, not the purchase itself.”
“Finally, it’s important to have cybersecurity specialists ready when something happens. Some enterprises have internal teams. Others rely on third parties. The bottom line is to have someone to call if something happens. Even the best cybersecurity mechanisms can fail, and even the most trained people can make mistakes. It’s always a good idea to have an emergency plan.”
The Engineering Manager at NordLayer, Carlos Salas, had a similar outlook:
“After returning to offices after the pandemic, human behavior did change. It does make sense when you think about it. Why would you lock your screen when you’re at home? However, this created several major issues companies are left to deal with.”
“We are humans and we like to cut corners in terms of cybersecurity. You can’t just trust the employees to take everything they heard during training into practice immediately. We need a strong technological foundation to back this up with Zero Trust access, where no one in the network is trusted without verification. While education is important, policy enforcement creates a stable organization’s cybersecurity canvas.”
“Another problem is an inability or not wanting to take cybersecurity into your own hands as an employee. Far too often, it’s thought that I can do whatever because the cybersecurity team will sort everything out. Making employees aware of shared collective responsibility is important. It’s a step towards a whole organization’s culture.”
IT consultancy business Optimising IT Technical Director Todd Gifford emphasized that insider threats are the most harmful and difficult to repel.
“Granting employees access to your environments, by definition, brings the burden of various risks. This access is largely based on trust when the employment contract is signed. Then it’s very easy to overlook their actions even if their intent is malicious. While this may sound extreme, the key here is to provide only needed access for the specific job function. Even then, testing, checks, and behavior validation should always be enabled to keep the finger on the organization’s security pulse.”
“Education should be a starting point when breaking bad cybersecurity habits among your employees. Continuous expansion of their awareness is key. However, it’s very important to make it engaging and varying, i.e., in-house phishing tests, workshops, etc. When this is added to the mix of your overall cybersecurity, this should help to keep everyone on high alert when a real threat approaches.”
As more and more employees return to the offices or take advantage of the hybrid model, this significantly affects the organization’s overall security. This also changes the threat landscape that hackers could exploit, so it’s important to be cautious. As people are now fallen out of habits of what used to be general cybersecurity rules for the workplace, it’s important to take action.
Timely breaking the harmful practices can make the ultimate difference between the company that was caught in a data breach and the one that repelled the attempt. Whichever area your organization struggles with the most, they can all be tackled by investing in your employees’ knowledge and various technological solutions.
A holistic combination of these two approaches should provide your business long-lasting security culture and more ease of mind regarding cybersecurity.