5 network security mistakes
The errors employees commonly make that can compromise sensitive data
According to the 2018 Human Factor Report by Proofpoint, a West Coast cybersecurity company, as many as 95 percent of web-based attacks now incorporate social engineering or human error.
The reality is that people make mistakes all the time, and cybercriminal social engineering and social mining, including bogus security alerts or other tricks to persuade them to unknowingly download and install malicious malware, has upped the ante on poor security habits. Let’s take a look at the five most common errors humans make to compromise highly sensitive data.
Using simple and/or the same password on multiple websites creates risk for any end user.
• Risk: Even if a corporate network, including SaaS-based applications, requires strong passwords, the use of simple passwords on social could allow a criminal to spoof identities. And if that same password has been used on multiple sites, it becomes that much simpler for cybercriminals to obtain access to even more sensitive data.
• Solution: Don’t use corporate IDs for any non-corporate websites or applications. Use a good password-safe application to auto-generate and store complex passwords for each personal and business website.
Using free Wi-Fi hotspots
Free Wi-Fi may be great for streaming music or movies, but be careful not to use it for online banking or unsecured connections to corporate applications.
• Risk: It’s very easy for a criminal to set up shop in a popular café and hijack Wi-Fi connections. Once the criminal has access to a connection, he/she can capture sensitive data such as login credentials.
• Solution: First, limit online activity to basic browsing if there is no option to secure a connection. If using a cellular device, turn off Wi-Fi and use the cellular connection (yes, this will impact data usage). Finally, subscribe to a VPN service to secure your connection, and if your company has a Mobile Device Management solution, verify that it creates a secure connection when connecting to corporate websites or applications.
Everyone is now familiar with the concept of phishing emails, but even so, on average, one in 10 users still fall prey to these.
• Risk: The original risk was that an end user would either click on a malicious link or click on an attachment that would then install malware or ransomware on a PC. For example, there is a trend referred to as “CEO Fraud,” or business email compromise, involving a criminal sending a well-crafted email that appears to be from the CEO or other senior executive requesting some form of payment, or wire transfer, to be made on their behalf to an offshore account.
• Solution: Security awareness training, coupled with regular simulated phishing emails, will ingrain the habit of always suspecting and questioning any email, especially those requesting you to provide sensitive information or payment. Additionally, make sure your organization’s executive and board member emails are not exposed on the internet. This can happen when organizations publish personal contact information on the corporate website. Cybercriminals can and will take advantage of this.
Social media exposure
While it is great that employees can promote businesses on their own Facebook, Twitter, LinkedIn or other social media channels, they need to be careful how much information they let out.
• Risk: Cybercriminals are patient and very persistent when they have a target in mind. As they scour the internet for information that can provide them access to an organization, social media can enable then to craft very convincing emails to organizational colleagues who might let down their guard.
• Solution: Have a social media policy in place that outlines best practices in relation to social media usage.
Also known as “drive-by” infections, these can occur when someone visits a perfectly legitimate website for news, sports or shopping and without realizing it, clicks on a malicious advertisement which then installs malware on the PC.
• Risk: The impact of clicking on a malicious advertisement is very much the same as the outcome of clicking on a phishing email.
• Solution: Make sure your organization’s systems are patched with the latest security updates. Drive-by exploits often use application vulnerabilities that have not been patched to download malware without detection.
If you are unsure about how to protect your organization’s network from attack, seek the help of an experienced IT managed services provider with deep knowledge and expertise in data security solutions.
Mark Benton, director of product management at Systems Engineering, can be reached at 888-624-6737 or syseng.com.