When most business leaders think of cybersecurity risk, they think of external threats — i.e., bad actors who sneak into your network to steal and sell valuable data. But here’s something that might make you a little bit uncomfortable: dangerous employee habits are your biggest hazard. (And they probably don’t even realize they’re putting your company in danger.)
But here’s the good news: Helping employees understand the errors of their ways and learn how to support your cybersecurity efforts can significantly reduce your risks.
Here are four of the most common and dangerous employee habits, and tips for correcting your workforce’s digital behaviors:
Clicking Spammy Links
From email to social media posts, messenger apps to fraudulent websites, the internet is rife with platforms for sending spammy links. Often, these links seem like they were posted by a trustworthy source, and often include an enticing call-to-action.
For example, a Facebook message from a close friend that says, “Is this you?” with a link to [what appears to be] a video. (Which is an actual scam making the rounds right now.) Often, clicking these links will install spyware or ransomware onto the victim’s computer.
What you can do: Ask employees to always investigate sources before clicking on a link. Remind them that pop-up ads that claim to have personal information, cryptic social media messages, or emails from unknown senders are all red flags.
Of course, everyone makes mistakes. Let your employees know that if they accidentally click a fraudulent link, they should immediately let you know. The sooner you can wrap your arms around the issue, the better.
Downloading Malware-Laced Files
Similar to clicking virus-laden links, employees are also notorious for inadvertently downloading files laced with malware. In many cases, these files may arrive as an email attachment and appear to be legitimate, with a title like, “Q2 Earning Report.”
In other cases, these files may live on deceitful websites. For example, some hackers capitalized on COVID-19 fear by creating false “informational” websites that spoofed trusted entities like the CDC and WHO and asked viewers to download materials.
What you can do: Ask employees to double-check the sender’s email before opening any files. Remind them that, if they receive a file they didn’t expect, even if it’s from someone they know, clear it with the sender (through another channel) before opening.
Using Corporate Logins to Create Accounts for Unauthorized Services
Keeping up with passwords can be difficult, so many people re-use the same password across multiple accounts. This is dangerous — especially when employees use their corporate email and common password to sign up for services online. Whether it’s something against company policy (like an adult website) or something seemingly innocuous (like a productivity app), this action can put your organization at risk.
What you can do: Remind employees never to sign up for anything using their corporate credentials, unless given explicit permission from IT. Explain that by re-using corporate logins to sign up for apps and SaaS products, it makes your organization vulnerable to third-party attacks. (Like the infamous Canva hack that, according to ZDNet, exposed data for about 139 million users.)
And ensure they’re changing their passwords regularly.
Falling for Phishing/Social Engineering Schemes
Nearly a third of all confirmed data breaches in 2019 involved phishing, according to Verizon’s 2019 Data Breach Investigation Report. And a whopping 86% were “malwareless,” meaning cybercriminals leveraged social engineering tactics — like impersonation — to convince victims to download a file that contained malware, or willingly hand over sensitive information, like credit card details.
What you can do: New phishing attacks emerge all the time, so keep employees abreast of any new popular schemes they may encounter. And, again, remind them to double-check sender information. Sometimes hackers will use email addresses that are just one letter off from a known, trusted sender. Or the email may come from a non-corporate address, like Gmail.
Also, ask them never to take any action until they’ve clarified it with the supposed sender first. For example, if an email appears to come from the CEO (a common scheme), be sure to reach out to the CEO from a non-email channel (such as a chat or video call) to verify their request.
Your workforce’s behaviors can make or break your organization’s security. If even a few people are engaging in dangerous employee habits, it can exponentially increase your risk. By equipping your team with the knowledge they need to spot and avoid cybersecurity pitfalls — and adopting actionable threat intelligence to identify risks and breaches in real-time — you’ll significantly boost your level of protection.
Interested in learning how threat intelligence can help boost employee cybersecurity fluency? Request a demo now!