Businesses face a lot of IT security threats, but a large percentage could be avoided with a change in users’ behavior. Here are 10 of the most common ways employees put their companies at risk:
1. They steal data
In many cases, users’ negligence or mistakes lead to breaches. But other times users and other insiders simply steal data themselves.More than a quarter of users (26%) either know someone who has taken company data they shouldn’t have or have done so themselves, according to a recent survey conducted by Harris Interactive and Courier.
The good news is that the majority of people are following the rules. However, it only takes one member of that 26% to lead to a data breach in your company.
Training users and informing them of IT’s policies can help, as can asking people to report suspicious activity they see among their co-workers.
But the most effective strategy is often to limit the risk by only giving users access to the data they need to do their jobs.
2. They open emails they know they shouldn’t
Among the 2,000 users surveyed, 19% have gotten an email work that they suspected to be a phishing scam — and opened it anyway, without notifying IT.
Since those people at least know how to identify suspicious emails, it’s likely with some more awareness training they would learn how important it is to leave them unopened.
3. They trust social networks
In addition to email, many phishing and social engineering attacks occur on social media. Those sites are an easy way to contact people to try to to spread malware or gather sensitive data, and victims may be more trusting because the interaction is more personal.
To protect information, IT should train users on how to stay safe on social networks.
4. They leave the company with data
Among the 2,000 users surveyed by Courion, 15% admitted that if they knew they were going to be fired, they would take whatever sensitive information they could get their hands on, including price lists, customer data and product plans.
Part of the problem is that many companies make it easy for employees to do so — 16% of survey respondents said they are still able to use old usernames and passwords from jobs they’ve left. It’s important that IT is notified as soon as employees leave the company or when roles change so that access can be shut off accordingly.
5. They don’t protect mobile devices
These days users think very little about loading sensitive data onto personal smartphones and bringing it with them on the go. Despite the fears of many IT pros, BYOD can be a good thing for companies, as it helps improve morale and productivity among workers.
However, both users and IT need to take some steps to keep data secure — and many users aren’t even taking the most basic security steps with their devices. In fact, 37% of iPhone users don’t even password protect their smartphones, according to a survey from Soluto.
That’s why it’s important for IT to create policies and make sure they’re enforced before devices are given access to the network. Training can also help users understand why passwords and other controls are necessary.
6. They sign up for consumer-level cloud services
The majority of users (59%) say they’ve signed up for their own cloud-based file sharing software even though they know it’s against the rules, according to a survey released last year by Symantec. Often, those are services geared toward consumers that don’t offer much in the way of security.
While cloud computing policies haven’t done much to stop rogue cloud deployments, creating and enforcing strong rules while offering safe options for the tools users want and need could help keep cloud services under IT’s control.
7. They use dumb passwords
Every IT person has probably come across several users who refuse to set any passwords other than “12345,” or some other easily guessed combination.
Again, much of the problem stems a lack of awareness. Among the users surveyed by Courion, 23% don’t understand why IT requires frequent password changes.
8. They run outdated software
Many security attacks target vulnerabilities that have been patched for months or even years. The reason: Hackers know that a lot of systems are running outdated versions of software.
For example, only 19% of business computers are running the latest version of Java, according to a recent report from Websense.
Often, users see notifications that updates are available, but do nothing because they’re wary of installing software on their own. That’s why IT should educate users about the importance of installing patches, or in some cases, run the updates themselves.
9. They don’t vet business partners
Especially as cloud computing becomes more common, companies are putting a lot of sensitive data in the hands of third-party providers. That can cause big problems if an organization’s data is stolen because of a breach at a third party.
Unfortunately, many organizations don’t do enough to make sure they only hand over information to businesses that will keep it secure. Just 54% of companies said they thoroughly vet third parties before doing business with them, according to a Ponemon Institute report.
That’s another reason IT should be involved in those decisions. It may also help if leaders in other departments are educated about what security features to look for in those business partners.
10. They think antivirus software is enough
While IT pros know better, many users probably think that as long as their computer has antivirus software, they’re safe from attacks. However, there are a number of ways threats get around those controls.
Users need to understand that it pays to be careful when browsing the Internet or opening email, no matter what protection is in place.