Data protection regulations have become stricter and now focus on protection of data privacy of consumers. New state regulations like the California Consumer Privacy Act (CCPA) force businesses to make it their top priority. However, many companies lack a strong cybersecurity culture and therefore become more vulnerable to security and compliance issues. According to a whitepaper by Osterman Research, only 18 percent of organizations have a program to train employees on the CCPA, which comes into force in less than a year.
Lack of training and failure to implement other security practices increase risk of human errors, which often lead to data breaches. Here are the five most common mistakes that your employees make and recommendations you need to follow in order to minimize potential damage.
- Fall forphishing schemes
Phishing attacks are the most common way for hackers to easily gain access to sensitive data. The attack can be opportunistic or targeted. An attacker sends a malicious email that seems to be from a trusted source, and waits until an employee opens it. To minimize risk, I recommend you tell employees about cybersecurity, not only when you hire them, but also train them regularly and effectively. For example, use a series of short videos that show how social engineering attacks work in real life. A good practice would be to run simulation tests periodically to check whether the training was effective. Implement anti-spam and email filtering tools to mitigate the risk even further.
- Stick to badpassword habits
Despite everyone talking about the importance of good password practices, employees still reuse passwords, forget to change them, use weak passwords (e.g. 12345 or qwerty) or even leave access credentials on sticky notes. These habits make it easy for attackers to steal or crack passwords, which may lead to a data breach. To avoid this, conduct training sessions dedicated to password practices and use password manager software that generates and retrieves complex credentials and stores them in an encrypted database. Also, consider using a password expiration tool that automatically reminds users to change their passwords before they expire.
- Give unauthorized users access to corporate devices
When your employees let their friends or family members access employee-issued devices at home, this poses a threat to your IT environment. They may accidentally access sensitive data like the organization’s financial records or download malware that could damage your data. To avoid this threat, introduce an information security plan that everyone is familiar with, and encourage team leaders to ensure their teams follow these practices. Also, make sure your devices are password protected and employ two-factor authentication to all corporate devices and applications if possible.
- Misdeliver information
It is not unusual for an employee to send an email with the company’s data to the wrong recipient. To avoid this, it is important to require encryption for all emails that contain sensitive information. In addition, employ pop-up boxes that remind senders to double check the email address when they’re emailing sensitive data. A good practice is to implement a data loss prevention (DLP) solution that tracks events that may cause information leakage and automatically takes action (e.g., prevents users from sending sensitive data outside of the corporate network).
- Fail to update and secure privileged accounts
Privileged accounts are powerful, but security controls for preventing their misuse are often weak. The Netwrix 2018 IT Risks Report shows that only 38 percent of organizations update admin passwords once a quarter; others do it less than once a year. Meanwhile, if IT pros don’t update and secure passwords of privileged accounts, attackers can easily crack them and access the entire organization’s network. To prevent this, you need to implement least privilege principles and grant privileges only to those who really need them for specific tasks. Use two-factor authentication and establish separate administrative and employee accounts for IT personnel; admin accounts should be used only to manage specific parts of the IT infrastructure.
No matter how strong your cybersecurity defenses are, people will still make mistakes. The Netwrix report discovered that 29 percent of organizations had to deal with human errors that resulted in data breaches over the last year. To minimize the risk of security incidents, you need to enable continuous control over your data, quickly detect suspicious activities and respond to incidents. Strong cybersecurity culture and effective training programs for employees can contribute to protecting your sensitive data and mitigating potential threats.
Ilia Sotnikov is Security Strategist & Vice President of User Experience at Netwrix. He has over 20 years of experience in cybersecurity as well as IT management experience during his time at Netwrix, Quest Software, and Dell. In addition, Ilia is a regular contributor at Forbes Tech Council where he shares his knowledge and insights regarding cyber threats and security best practices with the broader IT and business community.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.