You might think only young people new to digital literacy can fall victim to dangerous online behaviors. If only. In fact, your team at work could also be at risk. These nine online behaviors are all too common among supposedly savvy adults.
This article will help you consider the risks and also set you up with tips for better training your employees to avoid putting your business’s data and sensitive information in danger.
#1 Revealing Too Much Information
Lots of your employees are probably responsible parents who have talked to their kids about revealing personal information online. Still, they may need a talking-to of their own! With the ubiquity of social networking sites today, hackers are easily able to gain the personal information they need to take advantage.
For example, you might ask an employee to reconsider the barrage of greetings that arrive from Facebook friends on a birthday. Although sharing this information online puts them in the company of more than 20 million U.S. Facebook users, knowing a user’s birthday can help hackers infiltrate a network and gain sensitive data.
The same is true of commonly shared information like alma mater, family member’s names (including pets), hometown, and favorite activities — all of which can be used to crack a password or contribute to a social engineering scheme.
#2 Poor Password Strength
Research shows 9 out of 10 login attempts on many web and mobile applications are made by cybercriminals using automation to rapidly test millions of credentials. Yet, a 2016 study found that the two most commonly used passwords remain “123456” and “password.”
With users today having so many different online password logins, they often rely on easily remembered passwords instead of difficult to crack ones. Some even retain factory-set default passwords, opening the network door to cybercriminals who can put crucial business infrastructure at risk.
Tip: Mix letters and non-letters in your passwords and add random capitalization to your passwords (capitalizing any but the first letter).
Learn more about securing your password here.
#3 Repeating Passwords
Reusing a password can make things more convenient for the worker who can’t imagine remembering 20 or 30 different passwords for all of their different online logins. More than 50% of users are estimated to use the same user names and passwords across multiple sites.
Yet password reuse attacks are prevalent. Even Facebook’s CEO isn’t immune; Mark Zuckerberg fell victim to this when several of his social accounts were attacked. Taking advantage of stolen or compromised user names and passwords, hackers will dedicate bot software to stuffing these into your site until one provides access.
After all, not all sites are equal in terms of their login security. Your bank’s extra security measures won’t mean a thing if your credentials are the same on the easily hacked recipe site CrockpotCommunity.com. The fraudster with your cooking site credentials will have no problem accessing your bank account, too!
In the last 8 years more than 7.1 billion identities have been exposed in data breaches. — Symantec
#4 Clicking on Malicious Links or Downloads
Email remains a weapon of choice for cyber attackers. According to Symantec, “one in 131 emails sent were malicious, the highest rate in five years.” Email is a “proven attack channel” as simple deceptions can lead someone to open an attachment, follow a link, or disclose credentials.
Think your employees know better than that? Consider the fact that the US election attacks were accomplished using spearphishing emails. One was a spoofed email requiring users to reset their Gmail password.
You probably heard about the recent Google Docs scam that turned up in inboxes, saying someone the user knows had shared a Google Doc with them. If users clicked on the “Open in Docs” button, they were redirected to a non-Google site and everyone in their Google address book then received the same email (now with the original user as the sender).
The very beauty of malicious emails for the cyber criminal is that they can easily mask their nefarious intentions in what looks like a normal business communication; invoices or delivery notices, for example, are some of the top means of spreading ransomware. No wonder Symantec’s number of ransomware detections rose from 340,665 in 2015 to 463,841, with the number of ransomware families jumping from 30 to 101.
Figure 1. Email malware targeted companies of all sizes in 2016, per Symantec.
#5 Not Updating Antivirus and Malware Protections
Employees are downloading new malware every four seconds, according to Check Point research, which also found phishing attacks rising in volume and impacting 80% of the businesses surveyed. More importantly, the threats are ever-evolving. Yet many users fail to update their operating systems, browsers or software.
Yes, some updates are done automatically, but if not, it’s important to enable any security patches provided by vendors — right when they are offered.
Sure, the notification that your phone or computer needs an update yet again can be frustrating. But the reality is that these updates reflect the company working to stay ahead of malicious hackers who aim to discover and exploit security flaws.
Tip: Invoice, Order, Payment, and Bill figured were the most commonly used financial terms in malware spam campaigns. — Symantec
The average ransom amount in 2016 was $1,077, up from $294 in 2015.
#6 Ignoring Spidey Sense Tingling
Think about it. How often does a true “friend” or vendor send an email asking you for a password? Or, does the IRS typically send an email form for you to fill out to update your information? If you suspect something is off, heed that instinct! We can’t stress this enough.
In an example of a social engineering scheme, a cyber criminal might call your IT or finance department pretending to be the administrative assistant of one of your clients. The caller will “need a favor” to smooth something over with his or her boss, and you might feel inclined to help this individual’s emotional appeal.
Or you might get a call or visit from a service provider who needs access to your server to help solve some problem they’ve been asked to work on by [insert the name of your CIO here, which they’ve sneakily found online via LinkedIn or your website].
Verify before acting. These types of approaches aim to leverage a sense of urgency or convince you it’s just a little thing, so you’ll be tempted to provide the information without thinking twice.
If you feel silly asking for credentials or more time to verify a situation, just think of how silly you’d feel if you were to blame for a breach on your entire organization.
There were 357 new malware variants in 2016, up from 257 in 2014. — Symantec
#7 Failing to Secure Cloud Apps
Organizations are using more cloud apps than ever before, and fraudsters have adapted to the new opportunities.
Although the average enterprise used 928 cloud apps in 2016, CIOs interviewed by Symtantec would have put their number at 30 to 40. Many also don’t recognize the risk of exposure of data stored in the cloud, sometimes even without their knowledge.
Yes, accessing the cloud can add to organizational collaboration and efficiency. Yet, at the same time, cloud services can add security vulnerabilities if the business isn’t attentive to how its business data is stored on cloud services.
#8 Leaving the IoT Doors Open
Symantec suggested in its 2017 Threat Report that IoT and cloud attacks are gaining momentum. Yet, at the same time, they noted that organizations are underestimating the risk and leaving themselves open to attack.
In fact, default user names and passwords on IoT devices are often left unchanged either because of the difficulty in changing those that are hardcoded, or because users are unaware of the danger.
Yet the danger is real. Gartner predicts there will be more than 20 billion IoT devices in the world by 2020, and cyber criminals are quickly learning to take over devices with little protection and easily guessed user names and passwords.
Tip: When an IoT device is not in use, make it so that it can’t be access remotely to help seal one possible entry point a cyber criminal might take.
#9 Assuming “That Will Never Happen to Us”
People know they should be actively protecting their information and devices. Still, according to Norton’s 2016 Cyber Security Insights Report, 76% of consumers are aware of their vulnerability but still engage in risky online behaviors (anyone feeling a little pang of guilt here?).
Some 71% of consumers in Norton’s study said public Wi-Fi is useful for checking emails and sending documents. But are those consumers doing the same with their work emails while on a coffee break offsite? Hackers can easily access an unsecured network and intercept the information your employees are entering, efficiently multitasking while waiting in line for their macchiato.
Complacency can also be seen among Mac users who believe that only PCs can be hacked. While there are fewer Mac viruses (or, for the burger fans, “Mac attacks”), there are still documented cases of Macs being targeted.
Ultimately, it’s up to an organization to effectively educate its employees about the real risks of some of their bad habits.
Strategies to Share with Employees
There are many, many ways for cyber criminals to access information. Taking preventative measures at all entry points may seem overwhelming. When training employees, though, there are some basic behaviors that can make a big difference to data security.
You might focus on encouraging good habits around these points in particular:
- Make strong, distinct passwords and protect them.
- Delete any suspicious emails, especially those with links or attachments.
- Keep security software up to date.
- Change device default passwords.
- Be suspicious of emails, calls, or visitors encouraging action that is outside of the normal procedure.
- Exercise caution when connecting to public WiFi.
Red Team Security Consulting can identify and fix vulnerabilities at your business. With our application, network, physical, and IoT device penetration tests, our team of experts can help secure your business. Schedule your free consultation now!
Key Terms to Know
Malware — A broad term for all manner of malicious threats including viruses, Trojans, ransomware, spyware, and worms.
Virus — A category of malware designed to replicate and spread.
Spear-phishing — An email sent to an individual, personalized, with some knowledge of the target, that uses that familiarity to make the individual act urgently to provide sensitive data.
Ransomware — A category of malware hidden in seemingly routine correspondence that once enacted can hold the victim’s data hostage for money.