Many cyber attacks and data breaches that have happened in the past were possible due to human error. The Hacker News cites the IBM Cyber Security Intelligence Index Report that states that in 95% of breaches, human error was a significant factor. And that makes a lot of sense when you think about it. You can have the most sophisticated cybersecurity strategy. Still, it won’t be effective if it is not implemented correctly and the organization’s staff members don’t follow it.
Which are the most common mistakes from people that lead to data breaches or hacking?
Ordinary staff members and even people from the top management of a company can be victims of a scam that leads to a breach in the systems. Every case is unique by itself. However, there are some common mistakes that people make, which costs them a lot.
Weak password management
Unfortunately, this is something very common. A lot of people don’t take the time to create strong passwords and change them frequently. On the other hand, storing them is another potential vulnerability. Here are some tips on how you can improve this:
- Create strong and complicated passwords that you change at least once every six months; Passphrases are good option.
- Don’t use the same password for two or more accounts;
- Research and use reliable and secure password management software;
- It is not recommended to save your password automatically in your browser;
- Enable two-factor identification and additional security questions when this is possible.
Every company should provide guidelines to the employees on how to create and store their passwords and secrete codes. It is good if those rules are followed by them for their accounts as well – like social media, private email, etc.
Inability to detect phishing emails and messages
This is another big issue regarding staff members. In many organisations people don’t have the needed knowledge to spot and detect more complicated phishing emails. Here are some universal ways to do that:
- Check the domain where the email comes from. Often by trying to imitate the website of mobile operators or financial institutions, the hackers create a copy of their standard email template or even of their websites. You can check the domain name and compare it to the real one. Often there is a very small difference that you can notice;
- No legitimate institution or organisation where you have registration, account, or subscription will ask you to enter the details of your account or credit/debit card in email. This is a huge red flag;
- If someone on social media is sending you a link with no description or with a weird-looking one send them a message back and ask specifically what is this link and where it will redirect you when you click on it;
- You can never be too careful – if you have any doubts about a certain email or message consult with the security officer in our organisation. It might be a false alarm but it is better to be safe than sorry.
Failing to update devices with much-needed software upgrades
This is also a classic case. Very often companies issue patches or software updates that fix vulnerabilities in older versions of the software. Usually, they inform all users to update their devices with the latest version to eliminate the chance of security breaches. However, not everyone listens to them.
A while back we told you about the big leak of VPN Account Passwords From 87,000 Fortinet FortiGate Devices. It was possible because many users failed to update their devices and although the bug was fixed in May 2019 it remained one of the biggest exploits for hackers in 2020 as well.
That suggests that a lot of the clients of Fortinet may not have followed the instructions to upgrade their devices and that left them vulnerable. And this is not a standalone case. Such negligence can bring a lot of trouble.
What can be done to prevent all of this?
Nobody is perfect. People are going to make mistakes. It is inevitable. However, there are several ways you can help your employees have the needed skills and knowledge to minimize such errors and contribute to the cybersecurity of the whole organisation:
- Invest in staff awaraness training – make sure that the people that work for you are familiar and can identify information security threats and handle them accordingly. Like every other thing, this works best when the solution is tailor-made for the needs of the specific company;
- Raise awaraness about cybersecurity – get the people involved and help them understand that cybersecurity is important to your company as all other everyday activities and business operations;
- Provide resources and guidelines – the average person is not a cybersecurity expert and doesn’t have to be. However, you can help them by providing simple guidelines they can follow and giving them useful resources that won’t make following the security recommendations a burden.
There is not a magic pill that can make human errors go away. What you can do is invest in staff training and make cybersecurity a strategic priority for your company and staff. If you need help with that just give us a call. Our expert team will be happy to help!