6. Clueless social networking: The advantage of social networking is that it allows the modern workforce to be much more collaborative and productive. But, among obvious risks is that confidential corporate information gets posted on networking sites or in the cloud, where it is beyond the control, or the protection, of the organization. Another is that employees fall for increasingly sophisticated social engineering attacks.
The fix: Regular training, which needs to go beyond lectures. As CSO has reported in the past, good training is not an event; it is a process that uses real-world examples.
7. Poor mobile security: Given the existing BYOD world, it is almost impossible to eliminate spillover between the personal and corporate. But there are millions of devices in the mobile workplace, being used in coffee shops, on mass transportation and other places with public Wi-Fi. Far too many of them are not even protected by rigorous encryption or good mobile device management (MDM). Even more are not even protected by a PIN.
The fix: Insist that employees have a PIN for their device. Teach them to be aware of their surroundings in public places – coffee shops, airports, train stations, shopping malls and other areas where criminals can get personal or corporate information from something as low-tech as shoulder surfing. Make sure that corporate data is encrypted, end-to-end.
8. Too many privileges: “We see a lot of networks where some IT team have set up a shared account with high privileges,” said Eye Firstenberg, vice president of research at LightCyber.
“This makes IT’s job easier, but it's also makes monitoring misuse of those high-privileges credentials impossible,” he said, adding that a similar problem is giving too many privileges to application accounts that are only supposed to be used by specialized software. “These accounts are especially susceptible because they have privileges, and are hard to monitor,” he said.”
The fix: “Accounts, especially privileged ones, should be assigned to individuals, not departments,” said Firstenberg.
9. Failure to update or patch software: One of the most common security mistakes, mostly the result of the “can’t be bothered” syndrome. The risk is obvious – it leaves devices exposed to new threats, whose creators are actively seeking targets before their window of opportunity closes.
The fix: This is as obvious as the risk – install updates as soon as they are available, or if that’s impossible, create a reminder to do it as soon as possible. Most take less time to install than a trip to the water cooler.
***
In general, the answer to most “lack of awareness” problems is obvious – better awareness.
Joe Ferrara, President and CEO of Wombat Security Technologies, said organizations, “can reduce their risk of security infections between 45% and 70% by implementing effective security awareness training programs that include assessments, education, reinforcement, and measurement.”