Employees often find creative ways to work around IT security policies—but even those that follow the “rules” often make simple mistakes that put your organization’s data at risk. The Ponemon Institute’s 2014 Cost of Data Breach report attributed thirty percent of all data breaches in 2014 to employee mistakes, while a more recent survey by CompTIA put that number at a whopping fifty-two percent. Even in strict federal work environments, at least half of all cyber security incidents can be traced back to human error, according to an Associated Press analysis.
What are some of the most common IT security mistakes made by employees?
Clicking that link. Social engineering is an extremely effective cybercrime tactic. According to Verizon’s 2014 Data Breach Investigations Report, seventy-eight percent of successful security attacks involved spear-phishing scams—tricking an employee into clicking on a link or opening an attachment containing malware.
Bring-your-own-malware. The BYOD trend creates a myriad of security challenges for the enterprise. People tend to ignore security best practices when using their device for personal activities. They visit questionable sites and download unverified applications. They don’t lock their devices with passwords—or make those passwords incredibly simple. Then, when they shift into “work” mode, they expose their employer’s digital ecosystem to the malware and spyware they’ve unknowingly installed.
Shady Wi-Fi. Wireless connections are just about everywhere these days. Most organizations have strict policies about connecting to their digital ecosystem via unsecured public Wi-Fi, and yet, employees do it anyway. A recent survey by Harris Interactive found that almost one-third (31%) of employees admitted to connecting to their company’s network from unsecured Wi-Fi. Doing so puts the network at risk.
A simple case of mistaken identity. It’s easy to accidentally hit “Reply All” or let email address book auto-complete populate the wrong names in an email. But what if that email contained sensitive information or an attachment with confidential data? Or what if you miskey an email address, unwittingly sending a sensitive document to a completely unknown recipient? Emailing a sensitive document to an unintended person—known or unknown—creates the potential for a new, prolonged risk. If a cybercriminal gains access to an email account, they now have access to a long history of documents sent as attachments.
Printing. The most common security mistake that employees make is hitting print or putting pen to paper and recording sensitive information. The office print tray is a decidedly insecure place to store sensitive documents, and a notebook or sticky note isn’t much better. Unauthorized employees and visitors can easily catch a glimpse of any sensitive information on paper in a common area. And physical documents come with none of the security features of today’s advanced digital documents—anyone can literally walk out the door with the document or note, make unlimited copies and distribute at will.
Despite the established risk, CompTIA found that human error ranks as a serious concern for less than a third of respondents to its IT security survey. Experts say the lack of focus on risk caused by people is because the human factor is the most difficult to solve. Whereas most other security threats can be addressed with investments in security technology, this approach doesn’t work for internal human error—adding security barriers only lowers compliance and increases workarounds.
So, how can a security-minded organization face this and other security threats that come from within? Download the executive brief, Protecting Data in the Age of Employee Churn, to learn how endpoint backup can provide a secure foundation for mitigating insider threats.