Employees are often warned about the data exposure risks associated with the likes of phishing emails, credential theft, and using weak passwords. However, they can risk leaking or exposing sensitive information about themselves, the work they do, or their organization without even realizing. This risk frequently goes unexplored in cybersecurity awareness training, leaving employees oblivious to the risks they can pose to the security of data which, if exposed, could be exploited both directly and indirectly to target workers and businesses for malicious gain.Here are eight unusual, unexpected, and relatively strange ways employees can accidently expose data, along with advice for addressing and mitigating the risks associated with them.1. Eyeglass reflections expose screen data on video conferencing callsVideo conferencing platforms such as Zoom and Microsoft Teams have become a staple of remote\/hybrid working. However, new academic research has found that bespectacled video conferencing participants may be at risk of accidently exposing information via the reflection of their eyeglasses.In a paper titled Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing, a group of researchers at Cornell University revealed a method of reconstructing screen text exposed via participants\u2019 eyeglasses and other reflective objects during video conferences. Using mathematical modeling and human subject experiments, the research explored the extent to which webcams leak recognizable textual and graphical information gleaming from eyeglass.\u201cOur models and experimental results in a controlled lab setting show it is possible to reconstruct and recognize with over 75% accuracy on-screen texts that have heights as small as 10 mm with a 720p webcam,\u201d the researchers wrote. \u201cWe further applied this threat model to web textual contents with varying attacker capabilities to find thresholds at which text becomes recognizable.\u201d The 20-participant study found that present-day 720p webcams are sufficient for adversaries to reconstruct textual content on big-font websites, while the evolution toward 4K cameras will tip the threshold of text leakage to reconstruction of most header texts on popular websites.Such capabilities in the hands of a malicious actor could potentially threaten the security of some confidential and sensitive data. The research proposed near-term mitigations including a software prototype that users can use to blur the eyeglass areas of their video streams. \u201cFor possible long-term defenses, we advocate an individual reflection testing procedure to assess threats under various settings and justify the importance of following the principle of least privilege for privacy-sensitive scenarios,\u201d the researchers added.2. LinkedIn career updates trigger \u201cnew hire SMS\u201d phishing attacksOn professional networking site LinkedIn, it\u2019s common for people to post upon starting a new role, updating their profile to reflect their latest career move, experience, and place of work. However, this seemingly innocuous act can open new starters to so-called \u201cnew hire SMS\u201d phishing attacks, whereby attackers scour LinkedIn for new job posts, look up a new hire\u2019s phone number on a data brokerage site, and send SMS phishing messages pretending to be a senior executive from within the company, trying to trick them during the first weeks of their new job.As detailed by social engineering expert and SocialProof Security CEO Rachel Tobac, these messages typically ask for gift cards or bogus money transfers, but they have been known to request login details or sensitive decks. \u201cI\u2019ve seen an increase in the new hire SMS phish attack method recently,\u201d she wrote on Twitter, adding that it has become so common that most organizations she works with have stopped announcing new hires on LinkedIn and recommend new starters to limit posts about their new roles.These are good mitigative steps for reducing the risks of new hire SMS phishing scams, Tobac stated, and security teams should also educate new employees about these attacks, outlining what genuine communication from the firm will look like and what methods will be used. She also recommended providing employees with DeleteMe to remove their contact details from data brokerage sites.3. Social media, messaging app pictures reveal sensitive background infoUsers may not associate posting pictures on their personal social media and messaging apps as posing a risk to sensitive corporate information, but as Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry, tells CSO, accidental data disclosure via social apps such as Instagram, Facebook, and WhatsApp is a very real threat. \u201cPeople like taking photos but sometimes they forget about their surroundings. So, it\u2019s common to find sensitive documents on the table, diagrams on the wall, passwords on sticky notes, authentication keys and unlocked screens with applications open on the desktop. All that information is confidential and could be put to use for nefarious activities.\u201dIt\u2019s easy for employees to forget that, on an unlocked screen, it\u2019s simple to spot which browser they use, what antivirus products they are connected to, and so on, Bestuzhev adds. \u201cThis is all valuable information for attackers and can so easily be exposed in photos on Instagram, Facebook, and WhatsApp status updates.\u201dKeiron Holyome, VP UKI, Eastern Europe, Middle East, and Africa at BlackBerry, emphasizes the importance of security education and awareness about this issue. \u201cCompanies can\u2019t stop employees taking and sharing photos, but they can highlight the risks and cause employees to stop and think about what they are posting,\u201d he says.4. Data ingestion script mistypes result in incorrect database useSpeaking to CSO, Tom Van de Wiele, principal threats and technology researcher at WithSecure, says his team has treated some unusual cases whereby a simple mistype of an IP address or URL for a data ingestion script has led to the wrong database being used. \u201cThis then results in a mixed database that needs to be sanitized or rolled back before the backup process kicks in or else the organization might have a PII [personally identifiable information] incident that violates GDPR,\u201d he adds. \u201cCompanies deal with data mixing incidents on a regular basis and sometimes the operations are irreversible if a succession of failures occurs too far back in the past.\u201dVan de Wiele therefore advises security teams to leverage the authentication aspect of TLS where possible. \u201cThis will lower the risk of mistaken identity of servers and databases but understand that the risk cannot be fully eliminated \u2013 so act and prepare accordingly by making sure you have logs in place that are acted upon as part of a larger detection and monitoring strategy. That includes successful as well as unsuccessful events,\u201d he adds.Van de Wiele also advocates enforcing strict rules, processes, awareness, and security controls on how and when to use production\/pre-production\/staging\/testing environments. \u201cThis will result in less data mixing incidents, less impact when dealing with real product data and ensures that any kind of update or change as a result of the discovery of a security issue can be tested thoroughly in pre-production environments.\u201d Naming servers so that they can be distinguished from each other versus going over-board with abbreviations is another useful tip, as is performing security testing in production, he says. \u201cInvest in detection and monitoring as one of the compensating controls for this and test to make sure detection works within expectations.\u201d5. Certificate transparency logs expose rafts of sensitive dataCertificate transparency (CT) logs allow users to navigate the web with a higher degree of trust and allow administrators and security professionals to detect certificate anomalies and verify trust chains quickly. However, because of the nature of these logs, all the details in a certificate are public and stored forever, says Art Sturdevant, VP of technical operations at Censys. \u201cA quick audit of Censys\u2019 certificates data shows usernames, emails, IP addresses, internal projects, business relationships, pre-release products, organizational structures, and more. This information can be used by attackers to footprint the company, compile a list of valid username or email addresses, target phishing emails and, in some cases, target development systems, which may have fewer security controls, for takeover and lateral movement.\u201dSince the data in a CT log is forever, it\u2019s best to train developers, IT admins, etc. to use a generic email account to register certificates, Sturdevant adds. \u201cAdministrators should also train users on what goes into a CT log so they can help avoid accidental information disclosure.\u201d6. \u201cInnocent\u201d USB hardware become a backdoor for attackersEmployees may be inclined to purchase and use their own hardware such as USB fans or lamps with their corporate laptops, but CyberArk malware research team leader Amir Landau warns that these seemingly innocent gadgets can be used as backdoors to a user\u2019s device and the wider business network. Such hardware attacks typically have three main attack vectors, he says:\u201cMalicious-by-design hardware, where devices come with pre-installed malware on them, with one example known as BadUSB. BadUSBs can be purchased very easily on AliExpress, or people can make their own with open sources, such as USB Rubber Ducky, from any USB device.\u201dNext are worm infections \u2013 also called replication through removable media \u2013 where USB devices are infected by worms, such as USBferry and Raspberry Robin.Third are compromised hardware supply chains. \u201cAs part of a supply chain attack, bad software or chips are installed inside legitimate hardware, like in the case of the malicious microchips inserted into motherboards which ended up in servers used by Amazon and Apple in 2018.\u201dDetecting these kinds of attacks at the endpoint is difficult, but antivirus and endpoint detection and response can, in some cases, protect against threats by monitoring the execution flow of extended devices and validating code integrity policies, Landau says. \u201cPrivileged access management (PAM) solutions are also important due to their ability to block the USB ports to unprivileged users and prevent unauthorized code.\u201d7. Discarded office printers offer up Wi-Fi passwordsWhen an old office printer stops working or is replaced by a newer model, employees could be forgiven for simply discarding it for recycling. If this is done without first wiping data such as Wi-Fi passwords, it can open an organization up to data exposure risks.Van de Wiele has seen this firsthand. \u201cCriminals extracted the passwords and used them to log onto the network of the organization in order to steal PII,\u201d he says. He advises encrypting data at rest and in use\/transit and ensuring an authentication process exists to protect the decryption key for end-point devices in general. \u201cMake sure removable media are under control, that data is always encrypted, and that recovery is possible through a formal process with the necessary controls in place.\u201d8. Emails sent to personal accounts leak corporate, customer informationAvishai Avivi, CISO at SafeBreach, recounts an incident where a non-malicious email sent by an employee for the purpose of training almost led to the exposure of data including customers\u2019 Social Security numbers. \u201cAs part of the training of new associates, the training team took a real spreadsheet that contained customers\u2019 SSNs, and simply hid the columns containing all the SSNs. They then provided this modified spreadsheet to the trainees. The employee was looking to continue training at home, and simply emailed the spreadsheet to his personal email account,\u201d he tells CSO.Thankfully, the firm had a reactive data leak protection (DLP) control monitoring all employee emails, which detected the existence of multiple SSNs in the attachment, blocked the email, and alerted the SOC. However, it serves as a reminder that sensitive information can be exposed by even the most genuine, benevolent of actions.\u201cRather than relying on reactive controls, we should have had better data classification preventative controls that would have indicated the movement of real SSN data from the production environment into a file in the training department, a control which would have stopped the employee from even attempting to email the attachment out to a personal email account,\u201d Avivi says.