Taylor Armerding writes for Network World, “To err is human, but to err in cyber security can cause major damage to an organization. It will never be possible to be perfect, but major improvement is possible, just by being aware of some of the most common mistakes and their consequences.” In his article he highlights nine common security awareness mistakes:
- Falling for phishing scams
- Unauthorized cloud used (shadow IT)
- Weak or misused passwords
- Transferring company files to a personal computer
- Disabling security controls
- Posting too much on social media channels
- Poor mobile security
- Too many network privileges
- Failure to update or patch software
To avoid making these common mistakes first think about training. Do employees understand what phishing scams are? Do they know it is OK to call IT if they suspect or have a question about a particular link or email? Do your employees understand the very real risks of a weak password or of sharing or reusing passwords? Is your training just once a year – a couple of click through slides – or is it ongoing and engaging? Security training for employees should be a regular event and delivered in multiple formats. Keeping company data and systems secure is not just the job of IT; all employees are on the front lines when it comes to security.
Next, balance the need for speed versus the need for security. All too often some of the security mistakes made, such as shadow IT, personal computer use, poor mobile security and disabling security controls, are made in the name of speed or ease of use. Unfortunately they can weaken your company’s security. It is important to have open dialogues between IT and business and end users. IT needs to be open to the concerns of end users and the “headaches” they are facing. End users need to be aware of the security risks and potential fallout. Developing a true “partnership” between IT and end users will help to mitigate many of these common security mistakes.