Actually there are way more than ten ways, but here are some I see all the time. We can play this like a game, so go ahead and give yourself a point for each one of these that apply to you. This game scores like golf – low score wins.
- Weak, Guessable Passwords – short and simple passwords may be easy for you to remember, but they make an attacker’s job simpler too. Passwords under 8 characters can be brute forced by machines in less than an hour. Dictionary words fall even more quickly. Most popular password options at work, where you are required to change them monthly or quarterly, are month and year (August2016!).
- Post-it Notes – Keeping track of all the passwords we need is a challenge but writing everything on Post-it Notes is not a secure solution. Use a password manager such as LastPass or DashLane. Be alert for other sensitive information that may be written down or printed on paper. Just throwing it away leaves this information available for dumpster divers. Shredding keeps this information from falling into the wrong hands.
- Unaware of Social Engineering – at lot of sensitive information can be gathered in a simple phone call or even in person. Just meet a new friend? Were they super interested in you and asked you all kinds of personal questions? Might just have been a social engineer getting ready to launch an attack on your network.
- Fall for Phishing – Did FedEx ruin, lose, or forget to deliver you package again, and send you a nice email about it? Clicking on the link or opening the attacked ZIP file will definitely cause you problems, so never click on a link or open an attachment without confirming the source.
- Finders Keepers – Finders weepers. Found a flash drive in the parking lot? Curiosity made you plug it into the computer in your office? This techniques is called “baiting,” and this is how the United States got the Stuxnet malware into secure Iranian nuclear facilities. Once you plug in the drive, malware is installed and your network is compromised from the inside.
- Mobile Insecurity – Do you leave your phone, tablet or laptop unattended when in public? Mobile devices visible on the car seat are an open invitation to thieves. Placing your device in your trunk after you arrive at your destination is no solution either – thieves wait in parking lots and watch for people securing their valuables this way. Phone, tablets, and laptops that connect to the company network need to be encrypted, and ideally set up with a remote wipe system in the event the device is lost or stolen. Using a mobile device manager can be a solution to protecting the data on this devices when they are stolen.
- Turning Off Annoying Security – After we go through the work of securing a network, it is disheartening to find someone who has disabled on or more of these features to make their work life “easier.” These measures are there to protect you and your company from attacks by sophisticated cyber-criminal gangs. Turning off your security just makes their job easier, too.
- Over-Sharing – You were given user rights on your computer an network that are determined by your position and the business need to access certain company information. Giving your user credentials to a coworker “temporarily” to facilitiate a short-term business need is unwise and insecure. When employees leave the business their user access needs to be terminated as well, but often this is overlooked.
- Shopping in the Store – We are not talking about buying shoes while at work. What we are talking about is adding unnecessary and unauthorized applications from the Microsoft Store, Apple Store, or worse yet, from a freeware, shareware, or pirate-ware torrent site. These applications often collect personal information about the user, and some programs and games are designed as a delivery vehicle for remote access Trojans or other malware.
- Bring Your Toys to Work Day – Are you using your own laptop, tablet, phone, or pother device on your company’s network. You could inadvertently be infecting your employer’s computers or servers with malware. BYOD is cool and fun, but a nightmare for IT and cybersecurity professionals.
What’s your score? Mine is 1 – I do bring my own gear to the workplace. But I also keep it on the Guest network. If you scored 1-3, your IT staff appreciates it, and probably is a little more responsive to your requests for help. Scored 4-6 – Ok you are average. But trying to improve your rank can be your goal. Score 7-9? Is this the second time you opened an email attachment this month and got an encryption extortion scheme running in your office? Caught downloading movies on a torrent site? This type of activity can be career ending, and considering that your IT staff may be lobbying for it should be an uncomfortable thought.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com