Let me share with you the 5 most common errors users make and the preventive measures you can and should take before they lead to real damage to your business (branding, financial losses, reputation, legal and compliance breaches) and personal financial accounts and identity.
Error #1. Falling for phishing scams
Phishing is when a scammer sends malicious emails that seem to be from a trusted source in order to induce victims to reveal personal information.
Phishing and pretexting (presenting oneself as someone else in order to obtain private information) account for 93% of social breaches, and email is the most common attack vector (96%). (source: Verizon Data Breaches report-2018-19). This mistake is more likely if a company tells employees about cyber security only at the time of hire, instead of establishing a security-centric culture.
· Security awareness training – use short, five-minute videos that recreate real-world situations that show how social engineering attacks work.
· Run phishing simulation tests periodically to check whether the training was effective and employees follow your information security policies. Identify the high-risk users who are more likely to click on malicious links, so you can work with them individually.
· Implement anti-spam and email filtering tools to mitigate the risk even further.
Error #2. Letting unauthorized users access company devices
55% of working adults allow friends and family members to access their employer-issued devices at home. (Source: Wombat’s 2018 User Risk Report).
This is another sign of poor cyber security awareness, since the friend or family member might access sensitive data like the organizations’ bank accounts or customer data. What’s worse, they might download malware that could get access to corporate data, cloud applications and storage.
· One-time training at hire is insufficient. Introduce a comprehensive information security plan that all employees must follow, and encourage team leaders enforce cybersecurity discipline within their teams.
· Another important measure is to implement proper security controls on devices and systems. Ensure that all devices are password protected, and employ two-factor authentication to all corporate devices and applications if possible.
66% of respondents who do not use a password manager tool admit to reusing 60% passwords across online accounts.(source- Wombat’s 2018 User Risk Report).
Error #3. Poorly managed high privileged accounts
Accounts with high privileges, such as admin accounts, are powerful, but security controls for preventing their misuse are often inadequate. IT professionals can make mistakes, too, and such mistakes often cost companies a lot.
The recent Netwrix 2018 IT Risks Report shows that only 38% of organizations update admin passwords once a quarter; the rest do it only once a year or even more rarely. If IT pros fail to update and secure the passwords to privileged accounts, attackers can crack them more easily and get access to the organization’s network. Then they can use the compromised admin credentials to bypass access controls on various resources or IT systems in order to access sensitive data.
. Implement the least-privilege principle to all accounts and systems wherever possible. Instead of granting administrative rights to multiple accounts, elevate privileges on an as-needed basis for specific applications and tasks, only for the short period of time when they are needed.
. Two-factor authentication is also useful as an extra layer of protection.
. Establish separate administrative and employee accounts for IT personnel; admin accounts should be used only to manage specific parts of the infrastructure.
Error #4. Poor user password practices
This is a very risky practice, because once one account is compromised, the attacker gets access to a wider variety of assets.
Beyond password reuse, other password-related risks include using obvious passwords (e.g., 123abc, 1111), failing to update passwords regularly, storing passwords within reach of the computer, and sharing passwords with others.
All of these poor password practices increase the risk of a breach for a company, because an attacker can more easily steal or crack passwords.
· Holding training sessions dedicated solely to passwords practices is definitely worth doing. Also consider using supportive hints that are pushed to user screens when they log in — these tips can repeat key points emphasized in the training.
· Use a password manager software application that generates and retrieves complex credentials and stores them in an encrypted database. In addition, consider using a password expiration tool that automatically reminds users to change their passwords before they expire, so you can require regular password changes without burying your helpdesk in calls to reset expired passwords
Error #5 What if an error happens after implementing some key cyber security risk controls?
The reality is that even if a company has superior cybersecurity defense, people still make mistakes.
A sophisticated phishing attack might lead to malware being released in your network, an admin might grant someone excessive permissions, or some users might have their passwords cracked due to poor password practices.
In fact, the Netwrix 2018 IT Risks Report found that 29% of organizations had to deal with human errors that resulted in data breaches over the last year.
Therefore, every organization should improve its detection capabilities so it can respond promptly to suspicious or improper events.
1. For example, you need to quickly spot spikes in user activity, such as a large number of failed change or access attempts or suspiciously high number of file modifications, as well as unusual access to company’s sensitive data by a regular business user.
2. To be able to proactively detect and respond to such suspicious activity, employ user behavior monitoring methods that enable you to track the activity of all users, including privileged ones.
More than 80% of data breaches in the UK and around the globe during the past two years were caused by human error, not hacker attacks.
Therefore, review and/or establish a security culture that is lead by executive- driven governance, risk and controls framework that is aligned with your key business needs.
Contact us if you require a confidential 1:1 discovery consultation (45 minutes valued at AUD$500) by emailing me at Rachael@AusAsiaTraining.com.
We will respond as soon as practicable or within 48 hours due to time zone differences.
Your success is our global AusAsia Success.
Stay tuned- keep progressing forward ……
Rachael Mah
www.AusAsiaAdvisory.com/events