How Risky Behavior Leads to Data Breaches
Many employees have a lot on their plate and work hard to keep up with their rigorous job responsibilities. To meet the demands of their position, they create shortcuts to expeditiously accomplish their tasks and not get mired in the details. Herein lies the problem of risky employee behavior – in many cases, employees are not aware that their shortcuts or truncations of protocol are creating gaping holes in an organization's cyber hygiene. They may not mean to harm the organization, and their behavior is certainly non-malicious, but their risky behaviors have turned them into insider threats all the same.
This chapter is about this behavior and how it can lead to devastating outcomes. In reality, a great deal of this risky behavior can be stopped by creating cognizance around the implications of these actions. In most cases, employees are woefully unaware of the consequences of their actions, and what they don't realize...
We'll start by discussing the kind of behavior you might find from an oblivious, non-malicious insider threat. Oblivious employees aren't motivated by any desire to cause harm, or even by laziness or resistance to protocol; they simply don't understand that the actions they're taking, or forgetting to take, cause holes in their organization's security.
Unattended computers are a hazard
One classic form of oblivious behavior is leaving computers unattended when outside the organization – I've seen this many times at conferences, even security conferences. People go and check in their laptops along with their coats! They hand the laptop over for a checkout ticket, getting a false sense of security and trust because they've got the checkout ticket in their possession. That makes them feel like the laptop's safe; when really, it's been taken by an individual you don't know, to a place you can&apos...
Oblivious behavior is in some ways easier to deal with – the employee doesn't know that their behavior is threatening to the organization, and if they're educated properly and become part of a security culture, those behaviors will stop. Negligent non-malicious behavior, on the other hand, is when the employee knows that their action causes a security risk. They simply underestimate the risk, and overestimate the convenience of the risky action. These employees need to be convinced not just of what to do, but also of how important it is that they do it, and the possible consequences of not following the protocol.
Leaving the door open – the problem with recycled passwords
Coming up with a new password is often a task one faces without preparing for it – a reminder pops up and, suddenly, you need to invent a password. This leads to negligent employees using the same passwords and usernames that they've already used for websites...
Many people don't realize that social media is one of the biggest portals for data breaches, phishing attempts, and social engineering. Given that social media has many risks from many different vantage points and plays an outsized role in modern life, let's explore every angle of the risks in detail.
As a rule of thumb, when it comes to using social media within an organization, employees will feel secure for the most part because they believe that they're safe at work. From an employer perspective, organizations may be under the impression that by having a firewall they can stop access to some social media sites during work hours. Those who believe this have obviously not thought about the realities of living in an age of BYOD (Bring Your Own Device).
We all know BYOD has become very popular in recent years because we all do it. Many of us carry around two phones: a work phone and a personal phone. Inevitably, we bring both into the work environment...
Takeaway – practicing cyber mindfulness
As you'll have gleaned through these examples, when your employees engage in risky behavior, they can actively undermine the thorough security protocols that you've worked diligently to put in place. Employees must understand that when they leave their workplaces, their responsibilities to protect their organizations, as well as themselves, do not cease. Everyone within the organization must practice cyber mindfulness as a way of life, no matter where they are at any given moment. Just as traditional mindfulness encourages you to be aware of your surroundings and the consequences of your actions, cyber mindfulness involves being aware of your online connections and the consequences of your digital actions.
Even at a personal level, cyber mindfulness helps you protect every single facet of your life, including your career, reputation, and family. We live in a fast-paced world where we're constantly on the go, have many...
Looking forward – breaking down cybersecurity through interviews
Over the next few chapters, we'll delve deeper by talking to the experts who will outline what you need to know about their respective fields within cybersecurity. After each interview, I'll discuss and distil these concepts to highlight critical takeaways that I personally believe will be game changers for your organization, and your cyber hygiene.
Cybersecurity is not a standalone concept, and these interviews and commentary reflect that reality. I approach the topic using as many real-world examples from my own career journey and from my interviewees' experiences as possible. These real-world anecdotes highlight problems with relatable and teachable moments, providing you with solutions that can help inform your decisions on how to approach these situations.