4 Bad Employee Security Habits

January 9th, 2020 | IT Security, Security Culture

When most people think of security they think of locked doors and surveillance cameras to keep the bad guys out. However, the real danger doesn’t come from the outside, it comes from within. 84% of successful cyberattacks are caused by employee negligence. That’s why it’s critical that a portion of your business’ security efforts are directed internally and focused on breaking the bad habits of your own people.

When we’re talking about your employees bad habits, we’re not talking about them biting their fingernails or microwaving fish in the break room. We’re talking about their bad security habits. If you’re not sure what a bad security habit is, check out our list of 4 common bad security habits below. If your employees exhibit any of those bad habits, it may be a sign your organization is vulnerable to a cyberattack or a data breach.

4 Bad Employee Security Habits

1. Logging on using public wi-fi

Working from public places such as a coffee shop can be fun, but there are some risks that come with it. Hackers may set up their own networks that mirror public wi-fi networks or the public network itself may be compromised. When you’re connected to public wi-fi you should avoid logging into your work email, bank account, credit card account, etc.. If you access sensitive information using a compromised wi-fi network, you’re putting your business and yourself at risk.

This isn’t just a theoretical problem, USA Today writer Steven Petrow was hacked using public wi-fi on a plane. After the flight a man approached him and said because Steven was using the plane’s public wi-fi, he was able to read his emails and see what he was working on. Interestingly, Steven was working on an article about the FBI’s attempt to get Apple to unlock iPhones for their investigations. The hacker told Steven that his feeling of having his privacy invaded would be experienced by other people if Apple relented to the FBI’s request. Dramatic hacker speeches aside, Steven’s experience perfectly illustrates how vulnerable your data is while you’re connected to public wi-fi.

2. Leaving devices unlocked

Does your staff lock their computer every single time they leave their desk? Most companies have policies that require all devices that have business data stored on them to be password protected. What good is a password if you leave your work computer unlocked for anyone walking by to use? The odds of a bad guy sneaking onto your computer while you’re using the bathroom is unlikely but when locking your screen takes less than a second, there’s no reason not to.

Tip: Here is the keyboard shortcut to lock your computer

Windows: Window key + L

Mac: Command + Control + Q

3. Plugging in unknown devices/USBs

Have you ever needed a USB device and just plugged in one you found lying around the office? If so, you could potentially infect your computer with malware. Don’t worry though, you’re not alone. A study done by the University of Illinois and University of Michigan, found that when a USB is left out in a public place there is a 50% chance it will be found and plugged in by someone else. With a conversion rate of nearly 50%, malware-infected USBs are an effective way for hackers to get into your organization. If you aren’t sure where a USB stick came from, don’t plug it in.

On the flip side, don’t plug in your devices into public USB ports such as charging stations. “Juice hacking” is when malicious software is uploaded onto a public charging station. When you plug your phone into a compromised charging station the hacker will gain access to whatever data you have stored on your phone. 67% of people use their phone for work (Source: CBS News) so employers need to educate their staff on the dangers of public USB ports.

4. Leaving out confidential information

Employees leaving confidential documents out is a common problem for many businesses. Train your employees to not leave confidential information in printer trays, unlocked drawers, whiteboards, and desks. If confidential information is left out often at your company, consider implementing a clean desk policy. A clean desk policy just requires your staff to ensure no privileged information is left out on their desks. Policies are only effective if people are aware of them and they are enforced. Make sure you treat your security policies seriously, if you don’t your employees won’t either.

[/fusion_text][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=””]

How to Break Your Employees Bad Security Habits

As mentioned before, a goal of your security efforts should be to break the bad security habits of your employees. Security awareness training and testing are the tools employers can use to break their employee’s bad habits. Security awareness training is simply educating your employees on IT security best-practices and how to spot and report potential security incidences. Once they are educated, it’s critical that you test them.

Testing your employees has two main benefits. The first benefit is that you gain insight how well they are retaining the training. If necessary, you’ll be able to enroll them in additional training if they’re struggling with retention. The second benefit of testing is that it creates top-of-mind security awareness throughout your organization. Routine testing means your employees will be thinking about security far more often than they would otherwise. If your employees are thinking about security more then they will be more likely to follow good security practices.

Security education has proven results; investing in security awareness training reduces security related risks by up to 70%. Unfortunately, 45% of employees don’t receive any form of security awareness training. You may be thinking “If security awareness training is so effective, why are almost half of employees not receiving it?”. The simple answer is that business leaders just aren’t aware of how important security awareness training is yet.

If you’d like a more in-depth view on employee security training check out our webinar. If you want to incorporate employee security awareness training in your own business contact an Aldridge representative today, we can help.