With an estimated 90% of cyber attacks caused by human error or behavior, it’s important to understand the most common cyber security mistakes your employees are probably making and know how to mitigate them.

Becoming victims of phishing schemes

Stolen login credentials are the most common way hackers breach enterprise systems, and most of the time, these credentials are stolen through a phishing scheme. A highly targeted variant of phishing, called spear phishing or business email compromise, is used to convince employees to wire money or send sensitive data, such as W2 information, to cyber criminals.

Avoid having your employees make this cyber security mistake by educating them about the warning signs of a phishing scheme. Organizations must also establish policies against sending sensitive data through email, ensure that employees have access only to the systems and data they need to do their jobs, and add redundancy into payment approval processes, especially wire transfers.

Mistakes involving login credentials

This is a broad category of cyber security mistakes that includes:

* Using weak passwords
* Not using multi-factor authentication whenever possible
* Reusing passwords
* Sharing login credentials
* Writing credentials down and leaving them in public areas, such as sticky notes in the work area
* Leaving a terminal unattended without logging out first

Most of these security mistakes can be avoided through employee education on the dangers of not keeping login credentials secure. Organizations can also employ technical measures to force login sessions to automatically time out when a terminal is inactive, require the use of MFA, and automatically generate strong passwords.

Using shadow IT software and services

Over three-quarters of employees admit to using shadow IT software and services at the workplace. Most of the time, their intentions are not malicious. They are simply trying to do their jobs better, and they do not realize how dangerous shadow IT can be to security and compliance. Employee education is the best way to head off this security mistake. Technical tools can also be employed to ferret out shadow IT apps.

Inserting “mystery” devices into workplace computers

A common social engineering tactic is for hackers to leave USB thumb drives and other plugin devices in public areas where employees will find them. Sometimes, the devices will have labels meant to entice employees to want to covertly access them, such as “Q4 Performance Reviews” or indicating that the device contains pornographic content. Employees must be educated about the dangers of making this security mistake.

Making security mistakes when using public WiFi

Free public WiFi networks are ubiquitous, found everywhere from fast-food restaurants to aboard trains. Remote workers and employees who frequently travel for business often take advantage of public WiFi to work on the go. As with shadow IT apps, this is usually because of a security mistake, not maliciousness or negligence; employees don’t realize how dangerous public WiFi is. In addition to educating employees on best practices when accessing public WiFi networks, organizations should provide VPN access to all employees who work remotely.

Not protecting computers and other IoT devices

This security mistake involves physical protection as well as password protection. In a recent survey, over half of working adults admitted to allowing friends and family to access devices given to them by their employers. Employees who travel for work may also leave devices unattended in public areas or hotel rooms or allow strangers to “borrow” their smart phones.

Employees who travel need to be educated about best cyber practices when traveling. Organizations should ensure that these employees’ devices are protected with strong passwords, multi-factor authentication, or a biometric lock. If possible, have disposable phones and laptops on hand to loan to employees for travel purposes. If an employee must travel with a device that contains sensitive data, make sure the device is encrypted.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.