9 common security awareness mistakes (and how to fix them)

Every recent study of security vulnerabilities has come to the same conclusion: The human factor is a greater risk to organizations than flaws in technology.

And that, most experts agree, is in large measure due to a lack of security awareness -- people are either unaware of increasingly sophisticated threats, or they get careless.

There is, of course, no such thing as 100% security. But it could be a lot better if workers at every level, in every organization, avoided the common security awareness mistakes listed below.

[ The 2015 Social Engineering Survival Guide ]

The list was generated with the help of several security experts, who also offered advice on how organizations can minimize or even eliminate them:

1. Falling for phishing: One of the most common mistakes. It can include clicking on malicious links or attachments in phishing emails, on social media sites like Facebook and Twitter or even "ads" on websites that look legitimate. Criminals have gotten much better at making them look authentic, as if they come from a friend, family member or major, established companies like those that ship products to your home.

The fix: Train employees -- regularly -- to be skeptical of everything, and to click only on links that they are certain have come from a trusted sender. Organizations should run their own "sting" operation, to see how many employees are fooled by an in-house phishing attack. It will raise the awareness of workers who fall for it.

David Monahan, research director, Security and Risk Management at Enterprise Management Associates, warns that even emails from what appear to be trusted friends or family members can be fake.

"Does it seem out of character for them?  If so, don't click it," he said.

Also, any email that asks you to "verify" your credentials is likely malicious. If you think it is worth checking, call the company or go to its website.

Dave Frymier, CISO at Unisys, added that there are plenty of security awareness products on the market to help with training.

2. Unauthorized application or cloud use, known as shadow IT: Dan Lohrmann, chief strategist and CSO at Security Mentor, said this includes posting private, or uncontrolled, data to the cloud.

Frymier agrees. "This comes in a lot of forms," he said. "Anything from installing 'gotomypc' to buying cloud virtual machines and using them for corporate purposes.  It amazes me how people can do these things without realizing the dangers."

The fix: "This For example, offer a reasonable cloud storage solution that is approved, rather than just saying no."

3. Weak or misused passwords: It doesn't take an expert to know that using a default or simple password is like leaving the company door unlocked. But misuse also includes using the same password for multiple sites and sharing them with coworkers.

"Because everything demands a password we tend to do a lot of credential duplication between our various sites," said Monahan. "It goes back to ease of use.

"But this is a critical and sometimes tragic error. Many crucial accounts are hacked because an attacker gets access to email or some other seemly innocuous account where users have reused their credentials with another far more sensitive account, such as banking or health care," he said.

The fix: Make it easier to manage multiple, complex passwords, to reduce the incentive to re-use them. Security and encryption guru and Co3 Systems CTO Bruce Schneier is among numerous experts who have recommended creating passwords by using the first letters of a phrase or sentence that is easy to remember, with a few numbers and/or symbols thrown in. He and others also recommend using a password manager -- there are a number available.

Two-factor authentication also improves security, especially for common apps such as Google Gmail or Facebook, experts say. So don't rely on a password alone.

Finally, don't share passwords with anybody -- that means anybody.

4. Remote insecurity: This is the common practice of transferring files between work and personal computers when working from home, or allowing family members to use a work device at home. Frymier said it can also include backing up corporate data to a third-party cloud service."

This not only exposes the company to malware, but Monahan said it also "leaves data and data residue -- data left post deletion that can be retrieved with proper tools -- on an unmanaged system."

Beyond that, it can expose the user to legal troubles. If there is a lawsuit that involves e-discovery and attorneys find that an employee had any of the data in question on a personal device, "they can subpoena your system and all that is on it for review and associated scrutiny," Monahan said.

The fix: It ought to be company policy -- one about which employees get regular reminders -- that there needs to be authorization for corporate apps or files to be used on personal devices.

This is an area where technology can help improve security, through rigorous encryption.

Lohrmann added that, "good identity management systems can control user access and provisioning -- who can do what and when -- and reduce the number of passwords needed to access applications."

5. Disabling security controls: This is usually done by users with administrative privileges, to make things easier for employees to use, but it can have catastrophic consequences. Obviously, if a security measure is disabled, it offers no protection.

"This is huge," Monahan said. "The ongoing battle between security and usability is one of the biggest rubs."

The fix: Among other things, organizations should forbid web surfing from administrative accounts. If an employee does fall victim to malware, it will be much less likely to get the level of permission it needs to install or at least persist.

Frymier said these days this is a problem any IT department should be able to prevent. "Most things in the anti-virus/malware and authentication world can be locked down so they can't be disabled," he said.

6. Clueless social networking: The advantage of social networking is that it allows the modern workforce to be much more collaborative and productive. But, among obvious risks is that confidential corporate information gets posted on networking sites or in the cloud, where it is beyond the control, or the protection, of the organization. Another is that employees fall for increasingly sophisticated social engineering attacks.

The fix: Regular training, which needs to go beyond lectures. As CSO has reported in the past, good training is not an event; it is a process that uses real-world examples.

7. Poor mobile security: Given the existing BYOD world, it is almost impossible to eliminate spillover between the personal and corporate. But there are millions of devices in the mobile workplace, being used in coffee shops, on mass transportation and other places with public Wi-Fi. Far too many of them are not even protected by rigorous encryption or good mobile device management (MDM). Even more are not even protected by a PIN.

The fix: Insist that employees have a PIN for their device. Teach them to be aware of their surroundings in public places -- coffee shops, airports, train stations, shopping malls and other areas where criminals can get personal or corporate information from something as low-tech as shoulder surfing. Make sure that corporate data is encrypted, end-to-end.

8. Too many privileges: "We see a lot of networks where some IT team have set up a shared account with high privileges," said Eye Firstenberg, vice president of research at LightCyber.

"This makes IT's job easier, but it's also makes monitoring misuse of those high-privileges credentials impossible," he said, adding that a similar problem is giving too many privileges to application accounts that are only supposed to be used by specialized software. "These accounts are especially susceptible because they have privileges, and are hard to monitor," he said."

The fix: "Accounts, especially privileged ones, should be assigned to individuals, not departments," said Firstenberg.

9. Failure to update or patch software: One of the most common security mistakes, mostly the result of the "can't be bothered" syndrome. The risk is obvious -- it leaves devices exposed to new threats, whose creators are actively seeking targets before their window of opportunity closes.

The fix: This is as obvious as the risk -- install updates as soon as they are available, or if that's impossible, create a reminder to do it as soon as possible. Most take less time to install than a trip to the water cooler.


In general, the answer to most "lack of awareness" problems is obvious -- better awareness.

Joe Ferrara, President and CEO of Wombat Security Technologies, said organizations, "can reduce their risk of security infections between 45% and 70% by implementing effective security awareness training programs that include assessments, education, reinforcement, and measurement."

Join the CSO newsletter!

Error: Please check your email address.

Tags shadow ITsecuritysecurity awarenesstwitterphishingFacebook

More about CSOEnterprise Management AssociatesFacebookGoogleMentor

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts