10 Mistakes End Users Make That Drive Security Managers Crazy

charbill@rainnetworks.com

 

     Security Breaches from Within

 

 

As we believe at Rain Networks, sometimes your employees are your weakest link. Companies have found that many employees are not aware of the security breaches they might cause by clicking random buttons on their screen, or opening pages they aren't supposed to be on. According to Forrester Research, "nearly 40% of all data breaches are caused by insiders. And of those insider breaches, 26% are caused by abuse or malicious intent by insiders, and 56% are caused by inadvertent misuse or sheer accidents by employees." Data is often misused and security managers go crazy trying to solve problems that shouldn't be there. Dark Reading states a few mistakes made by end-users are:

  1. Leaky Amazon S3 Buckets - End users often assume that when they are using cloud-based workloads they are automatically secure. Not so. S3 stands for simple storage service and when people put workloads in the cloud, it is still their responsibility to, at the very least, set a password.

  2. Leaving a laptop at the security line at an airport - When you go through a security line, sure you have to take off shoes, belts and empty your pockets. But often a work laptop is left behind.

  3. Losing track of corrupted thumb drives - Too often people have thumb drives from previous jobs that contain data that should have been turned in when the person left the company. And then there’s a chance that data on a thumb drive could become infected and then spread a virus to the corporate network once it’s inserted into a work computer. 

  4. Mishandling company information - Users mishandle company information all the time. Simply emailing a document to a personal machine at home can be considered a breach – and people do that all the time.

  5. Sloppy care of security cameras and other devices with IP addresses - Just about everything in an office – from printers to security cameras – has an IP address on it today. Especially for small offices, it’s really important to change the default passwords on these devices. Failure to do so can open up the company to a DDoS attack.

  6. Careless handling of BYOD devices - Companies often have no choice but to agree to a BYOD policy today but doing so presents certain security risks.

  7. Poor handling of user privileges - People may have several jobs at a company over five or 10 years, each of which comes with different access privileges. Very often the user and administrator won’t communicate about the various level of privileges the user has, which means the user may still have privileges that are not appropriate for his or her current position.

  8. Lax attention to “tailgating” at physical entry points - Sometimes people will be entering the company location and a second person will come by, saying they forgot their badge, can you please let me in. Unless the person with the badge knows for sure that the person they are letting in is an authorized employee or business partner, they should not let them in.

  9. Improper handling of sensitive medical data - In the absence of a dedicated IT staff, information can get left on computers, fax machines and scanners that have little or no password protection and are open to theft. It’s also common for office people to accidentally email out PII to business partners.

  10. Blogging about work matters -  If employees decide to blog, they should stay away from any work topics, stick to hobbies such as music, art or sports they follow or participate in. Even if sensitive documents are not shared, bloggers could be giving away internal company strategy by disclosing what’s said at internal meetings.

 

Read More!