16 cybersecurity risks you don’t know your employees are taking, and what to do about them
Barbara Hoffman
The average person will look for the path of least resistance when cybersecurity gets in the way of convenience. This makes it difficult to enforce cybersecurity policies and control risky behavior. As such, it’s no surprise that 68% of organizations say accidental breaches or malicious insider attacks are more likely to occur than external attacks.
The human element is critical to consider when managing cybersecurity risks. In this post, we’ll examine some common examples of cybersecurity risks your employees could be taking—and what you can do to address them.
Ultimately, your goal is to empower employees to be part of the security solution, not the problem. Your organization will be safer the more your employees understand the importance of cybersecurity and know how to recognize risks. The easier you can make it for employees to follow cybersecurity best practices—without hindering their productivity or business goals—the more likely they’ll be to follow your guidance.
Common employee behaviors that increase cybersecurity risk
Risk 1 . Clicking on “phishy” links
Phishing remains an incredibly effective strategy for threat actors. In fact, roughly 90% of data breaches start with phishing attacks, where threat actors try to fool victims into revealing confidential information or downloading malware by disguising themselves as legitimate people, businesses, or other entities.
Employees today are at heightened risk from fraudulent emails, phone calls, and text message attacks, also known as “smishing” attacks—the name derived from “SMS phishing”. These attacks are so dangerous because they appear to come from a trustworthy source, such as a colleague. Cybercriminals are also becoming more advanced and using cutting-edge tools to launch attacks, including those powered by artificial intelligence.
While you can reduce incoming phishing attacks through email and spam filtering, messages will inevitably get through to their targets. Employees must be trained to spot phishing attempts and remain on the lookout for suspicious communications and links.
Risk 2. Opening themselves up to social engineering
Social engineering involves exploiting people and convincing them to take a particular action—like sharing personal information or downloading malware.
Cybercriminals typically use social engineering attacks to steal data and money. For example, a hacker may use DNS spoofing to route an unsuspecting employee to a malicious site that closely resembles an official one in hopes of deploying harmful software, collecting data, or convincing them to submit payment information.
Unfortunately, social engineering attacks can be difficult to prevent. It requires educating your employees about cybersecurity risks and security best practices and taking proactive measures to ensure network and device safety.
Risk 3. Sharing passwords
According to a recent study, 34% of employees say they share accounts or passwords with coworkers. While password sharing is a fast and convenient way to give a colleague access and enable them to complete workflows, it carries significant security risks.
The main risk is that threat actors could intercept passwords in transit or gain access to a document containing one or sets of more credentials. Plus, it can be much harder to conduct a cybersecurity investigation and determine who’s responsible for harmful activity—like transferring or deleting data when multiple people share a password to an account.
To discourage password sharing, update your password policy to officially ban this risky practice. You may also want to add mechanisms that make it harder for employees to share accounts. For example, you can enable Multi-Factor Authentication, restrict concurrent logins, and enforce account monitoring and automatic logouts.
Risk 4. Downloading harmful applications
Employees are increasingly using applications to eliminate manual workflows and increase productivity. But oftentimes, they download and access services without approval, which opens the door to a variety of risks. For example, employees may download applications containing malware or ransomware. They may also use third-party services to store sensitive files, potentially leading to security or privacy violations.
You can solve this problem by setting up application control policies with allow and deny lists. Then, employees can safely request and download vetted digital services. This provides greater transparency and control while helping reduce shadow IT. An endpoint privilege and application control solution removes local administrative rights from software and enforces least privilege security.
Screenshots of Privilege Manager endpoint privilege and application control software
Risk 5. Mismanaging devices
Most businesses lack the bandwidth to effectively monitor and manage company or employee-owned devices like phones, laptops, flash drives, USB devices, and other portable media. As a result, employees often wind up using and managing their own devices at work. This results in workers connecting to business networks with potentially unsecured devices that bad actors can infiltrate.
To eliminate hardware-related threats, businesses must create and enforce strict bring-your-own-device (BYOD) policies. Companies that lack the resources to manage devices effectively should consider partnering with a third-party cybersecurity provider that can make the process much easier.
Risk 6. Failing to update software
For most employees, software updates aren’t top of mind. People often assume software automatically updates or that IT oversees the process. But many programs require manual updates, which employees may overlook or ignore.
According to the 2022 Verizon Data Breach Investigations Report, software update is one of the leading vectors for incidents. Cybercriminals look for outdated software that they exploit to gain access to computers or networks. Since employees can go weeks or even months without updating their software, your IT administrators must take ownership of software updates and ensure all employees are using the latest and most secure versions.
Risk 7. Storing passwords liberally
Employees tend to store passwords incorrectly, putting them in places like Word documents, Excel spreadsheets, and direct messages. This practice is very dangerous—especially when considering hundreds or even thousands of workers may be doing it. All it takes is a single accidental exposure for a bad actor to gain access to a variety of your accounts and systems.
To make life easier for employees and your IT team, use a central, to reduce risk and maintain oversight of business user behavior. See why passwords should NEVER be stored in Excel spreadsheets.
Risk 8. Sending confidential information on unsecured platforms
Most people think about convenience—not cybersecurity—when communicating and sharing information. The average employee may not see anything wrong with sharing confidential data over an unsecured, unencrypted communications channel. But exchanging confidential data over unsecured platforms makes it possible for threat actors to intercept the correspondence and read its contents.
All your employees should know about the risks of using unsecured communication channels. Require team members to always use private, encrypted communications channels when sharing sensitive material.
Risk 9. Bypassing security products
Employees don’t always use security products like malware scanners, biometrics readers, or company-owned devices. Instead, many view security products as a barrier to productivity and may deactivate them or avoid using them entirely. Bypassing security products not only wastes money, it also makes it easier for threat actors to penetrate network defenses and access restricted systems and devices.
For the best results, use monitoring tools and conduct routine audits to ensure employees are using security tools and following company procedures to minimize your cybersecurity risk. It may also help to establish repercussions for workers who violate or bypass security policies.
Risk 10. Connecting to unsecured public networks
With the pandemic winding down, people are returning to offices and hitting the road for conferences and events. This means many people are working out of coffee shops, airports, trains, and hotels—much to the delight of bad actors.
Hackers often use public networks to inject malware into connected devices, snoop on users, and obtain login information and other sensitive data, making them unreliable for tasks like sending email, sharing documents, or even chatting with team members.
The best way to protect on-the-go team members is to use a system like Privileged Remote Access, which enables safe remote connectivity to private computing resources over any web browser. This eliminates the need for a virtual private network or remote desktop client, while ensuring bad actors can’t intercept critical information.
Risk 11. Allowing family members and friends to use business devices
Employees may not see the harm in letting family members and friends use business phones or laptops for activities like browsing the web or downloading games. The danger is that people—especially kids—may click on links or download content that contains malware or ransomware. They may also unintentionally expose or delete sensitive information.
For this reason, it’s important to draw the line between home and family life and restrict unauthorized individuals from accessing company devices. Enforce a zero-tolerance policy for sharing company-owned hardware.
Risk 12. Over-sharing screens
Screens often display sensitive information like emails, financial documents, and customer records. Employees need to keep this in mind whenever they share screens during Zoom or MS Teams calls, office presentations and meetings, or work in public settings where outside parties may be listening in. Leaving a screen open allows someone to take a screenshot or photo to capture private information, potentially leading to an accidental data breach or the exposure of restricted secrets.
To prevent this from happening, employees should minimize windows and log out of applications when they aren’t in use. In online group calls, they should select only the window that contains the information they wish to present. Plus, they must be vigilant whenever they work in public environments.
Risk 13. Granting access to unauthorized individuals
Cybercriminals sometimes try to impersonate employees and request access to protected documents, databases, and applications. In many cases, workers will provide quick access without vetting the individual. Once a threat actor gains access to a restricted area, they may download or delete information. They might also use the data to inflict harm on the organization.
Unfortunately, businesses usually don’t catch on until it’s too late.
Employees must avoid granting access to unknown users. Instead, they should be referred to department or project leaders with access rights for approval. This may take more time, but it can prevent breaches.
Risk 14. Leaving laptops unattended
Most people won’t think twice about leaving a laptop open in public—or even in the “security” of the office—to grab a cup of coffee or use the restroom. But stepping away for just a few moments can lead to theft. It can also give a bad actor (who may be an insider) enough time to step in and lift private information—especially if accounts are open and accessible.
Train employees on the dangers of leaving laptops and other electronic devices unattended. Making the effort to lock or carry a device can reduce theft and help avoid data breaches.
Risk 15. Handling sensitive documents improperly
Employees tend to be careless when handling documents with sensitive information (e.g., customer account records). For example, people may throw important documents in the trash, leave items in the copy machine, or forget items on their desks overnight.
While this might not seem like a cybersecurity risk, data breaches can stem from paper documents. Failure to handle or dispose of information properly can put an entire organization at risk of a security violation.
For this reason, it’s critical to educate employees about proper document-handling protocols. All team members—remote and on-prem—should have access to paper shredders, secure recycling services, and lockable filing cabinets.
Risk 16. Accessing company info after leaving the company
Administrators are not always careful about controlling account access. Employees, contractors, and vendors often retain access to cloud accounts after they stop working with a company. This allows employees to continue monitoring activity and accessing documents they shouldn't be able to. It can lead to accidentally sharing secrets and exposing information.
Adopt least privilege frameworks that only provide access on an as-needed basis, and set up a solution to monitor and restrict access across different accounts and services.
Cybersecurity and productivity: It’s a balancing act
For IT administrators and security teams, balancing security and productivity can be a difficult undertaking. The trick is to mitigate threats while still enabling employees to access the systems and tools they need when they need them.
One way to reduce employee cybersecurity risks without disrupting operations is to establish a Privileged Access Management (PAM) solution, which enables identity and access management across the full attack surface while integrating seamlessly into tools that employees use every day. To learn how invisible PAM can help your organization improve cybersecurity risk management, read this white paper: Invisible PAM: Balancing Productivity and Security Behind the Scenes
Implementing Least Privilege shouldn't be hard