You might think only young people new to digital literacy can fall victim to dangerous online behaviors. If only. Your teammates at work could also be at risk. These nine online behaviors are all too common among supposedly savvy adults.
This article will help you consider the risks and set you up with tips to train your employees better and avoid putting your business's data and sensitive information in danger.
#1 Revealing Too Much Information
Lots of your employees are probably responsible parents who have talked to their kids about revealing personal information online. Still, they may need a talking-to of their own! With the ubiquity of social networking sites today, hackers can easily piece together the personal information they need to cause harm.
For example, you might ask an employee to reconsider publicly sharing the barrage of greetings that arrive from Facebook friends on a birthday. Although sharing this information online puts them in the company of more than 20 million U.S. Facebook users, knowing a user's birthday can help hackers infiltrate a network and access sensitive data.
The same is true of commonly shared information like alma mater, family member's names (including pets), hometown, and favorite activities — all of which can frequently be used to crack a password or to add credibility to a social engineering scheme.
#2 Poor Password Strength
Research shows that 9 out of 10 login attempts on many web and mobile applications are made by cybercriminals using automation to rapidly test millions of credentials. Yet, a 2021 study found that the two most commonly used passwords remain "123456" and "password."
With users today having so many different online password logins, they often rely on easily remembered passwords instead of challenging to crack ones. Some people even keep factory-set default passwords, which leaves the network door wide open to cybercriminals who can put crucial business infrastructure at risk.
Tip: Mix letters and non-letters in your passwords and add random capitalization to your passwords (capitalizing any but the first letter).
Learn more about securing your password here.
#3 Repeating Passwords
Reusing a password can make things more convenient for the worker who can't imagine remembering 20 or 30 different passwords for all of their other online logins. More than 50% of users are estimated to use the same user names and passwords across multiple sites.
Yet password reuse attacks are prevalent. Even Facebook's CEO isn't immune; Mark Zuckerberg fell victim to this when several of his social accounts were attacked. Taking advantage of previously compromised user names and passwords, attackers will dedicate computing resources to stuffing these known credentials into every login page they can find until one provides access.
After all, not all sites are equal in terms of their login security. Your bank app's extra-long password won't mean a thing if your credentials are the same for a separate, easily hacked website. The fraudster with your password for "download-free-music.com" will have no problem accessing your bank account, too!
If you ever wonder if one of your accounts has been involved in a data breach, check out https://haveibeenpwned.com. Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
#4 Clicking on Malicious Links or Downloads
Email remains a weapon of choice for cyber attackers. According to the 2020 Verizon Data Breach Investigations Report (DBIR), "one in 131 emails sent were malicious, the highest rate in five years." Email is a "proven attack channel," as simple deceptions can lead someone to open an attachment, follow a link, or disclose credentials.
Think your employees know better than that? Consider the fact that the US election attacks were accomplished using spearphishing emails. One was a spoofed email requiring users to reset their Gmail password.
You probably heard about the recent Google Docs scam that turned up in inboxes, saying someone the user knows had shared a Google Doc with them. If users clicked on the "Open in Docs" button, they were redirected to a non-Google site, and everyone in their Google address book then received the same email (now with the original user as the sender).
The sheer beauty of malicious emails for cybercriminals is that they can easily mask their nefarious intentions in what looks like everyday business communication. Invoices and delivery notices, for example, are some of the top means of spreading ransomware. No wonder Symantec's number of ransomware detections rose from 340,665 in 2015 to 463,841, with the number of ransomware families jumping from 30 to 101.
#5 Not Updating Antivirus and Malware Protections
According to Check Point research, employees are downloading new malware every four seconds. Check Point also found phishing attacks rising in volume and impacting 80% of the businesses surveyed. More importantly, the threats are ever-evolving. Yet, many users fail to update their operating systems, browsers, or software.
Yes, some updates are done automatically, but if not, it's essential to enable any security patches provided by vendors — right when they are offered.
Sure, the notification that your phone or computer needs an update yet again can be frustrating. But the reality is that these updates reflect the company working to stay ahead of malicious hackers who aim to discover and exploit security flaws.
Tip: Invoice, Order, Payment, and Bill figured were the most commonly used financial terms in malware spam campaigns. — Symantec
The average ransom amount in 2016 was $1,077, up from $294 in 2015.
#6 Ignoring Spidey Sense Tingling
Think about it. How often does a true "friend" or vendor send an email asking you for a password? Does the IRS typically send an email form for you to fill out to update your information? If you suspect something is off, heed that instinct! We can't stress this enough.
In an example of a social engineering scheme, a cybercriminal might call your IT or finance department pretending to be the administrative assistant of one of your clients. The caller will "need a favor" to smooth something over with his or her boss, and you might feel inclined to help this individual's emotional appeal.
Or you might get a call or visit from a service provider who needs access to your server to help solve some problem they've been asked to work on by [insert the name of your CIO here, which they've sneakily found online via LinkedIn or your website].
Verify before acting. These types of approaches aim to leverage a sense of urgency or convince you it's just a little thing, so you'll be tempted to provide the information without thinking twice.
If you feel silly asking for credentials or more time to verify a situation, just think of how silly you'd feel if you were to blame for a breach on your entire organization.
There were 357 new malware variants in 2016, up from 257 in 2014. — Symantec
#7 Failing to Secure Cloud Apps
Organizations are using more cloud apps than ever before, and fraudsters have adapted to the new opportunities.
Although the average enterprise used 928 cloud apps in 2016, CIOs interviewed by Symantec would have put their number at 30 to 40. Many also don't recognize the risk of exposure of data stored in the cloud, sometimes without them even knowing.
Yes, accessing the cloud can add to organizational collaboration and efficiency. Yet, at the same time, cloud services can add security vulnerabilities if the business isn't attentive to how its business data is stored on cloud services.
#8 Leaving the IoT Doors Open
Symantec suggested in its 2017 Threat Report that IoT and cloud attacks are gaining momentum. Yet, at the same time, they noted that organizations are underestimating the risk and leaving themselves open to attack.
A new study from Juniper Research found that the total number of IoT connections will reach 83 billion by 2024, rising from 35 billion connections in 2020. The research identified the industrial sector as a key driver of this growth. This expansion will be driven mainly by the increasing use of private networks that leverage cellular network standards.
Default user names and passwords on IoT devices are often left unchanged either because of the difficulty in changing those that are hardcoded or because users are unaware of the danger.
Yet, the danger is real. Gartner predicts there will be more than 20 billion IoT devices globally by 2020. Cybercriminals are quickly learning to take over devices with little protection and easily guessed user names and passwords.
Tip: When an IoT device is not in use, make it so that it can't be accessed remotely to help seal one possible entry point a cybercriminal might take.
#9 Assuming "That Will Never Happen to Us"
People know they should be actively protecting their information and devices. Still, according to Norton's 2016 Cyber Security Insights Report, 76% of consumers are aware of their vulnerability but still engage in risky online behaviors (anyone feeling a slight pang of guilt here?).
Some 71% of consumers in Norton's study said public Wi-Fi helps check emails and send documents. But are those consumers doing the same with their work emails while on a coffee break offsite? Hackers can easily access an unsecured network and intercept the information your employees are entering, efficiently multitasking while waiting in line for their macchiato.
Complacency can also be seen among Mac users who believe that only PCs can be hacked. While there are fewer Mac viruses (or, for the burger fans, "Mac attacks"), there are still documented cases of Macs being targeted.
Ultimately, it's up to an organization to effectively educate its employees about the real risks of some of their bad habits.
Strategies to Share with Employees
There are many, many ways for cybercriminals to access information. Taking preventative measures at all entry points may seem overwhelming. When training employees, though, there are some basic behaviors that can make a big difference to data security.
You might focus on encouraging good habits around these points in particular:
- Make strong, distinct passwords and protect them.
- Delete any suspicious emails, especially those with links or attachments.
- Keep security software up to date.
- Change device default passwords.
- Be suspicious of emails, calls, or visitors encouraging action that is outside of the normal procedure.
- Exercise caution when connecting to public WiFi.
RedTeam Security can identify and fix vulnerabilities in your business. With our application, network, physical, and IoT device penetration tests, our team of experts can help secure your business. Schedule your free consultation now!
Key Terms to Know
Malware — A broad term for all manner of malicious threats, including viruses, Trojans, ransomware, spyware, and worms.
Virus — A category of malware designed to replicate and spread.
Spear-phishing — An email sent to an individual, personalized, with some knowledge of the target, uses that familiarity to make the individual act urgently to provide sensitive data.
Ransomware — A category of malware hidden in seemingly routine correspondence that, once enacted, can hold the victim's data hostage for money.
10-Point Offensive Security Checklist
Download Free Resource Download Free Resource