11 Ways Employees Can Be Your Weak Link for Cybersecurity
Each year, incidences of cyberattacks on companies are increasing with the intent to steal sensitive information. There are cybersecurity tools made to protect organizations, but many of these tools focus on external attacks, not internal weaknesses. Many security systems do not focus on the possibility of employees unknowingly becoming a security threat and do nothing to mitigate accidental internal threats. Employee cybersecurity is an important issue.
The 2018 Insider Threat Report asserted that 90% of organizations are likely to be attacked or exposed to attacks through an insider, and more than 50% experienced an attack through an insider.
Furthermore, about 44% of top companies are exposed to potential threats as a result of exposure of passwords on the internet by their employees or theft of login details.
According to a recent report by Shred-it, an information security company, employee negligence is the primary source of data breaches. According to that report, 47% of business leaders blamed human error (i.e., accidental loss of a device or document by an employee) for a data breach within their organization.
The Threat of a Negligent Employee
A negligent employee does not have the intention of exposing a company to threats but does so unknowingly in several ways that could have grave implications. It is simply negligence. Here are some of the most common unintentional insider threats and some creative ways organizations can educate their employees about them.
1) Phishing and various iterations of it, like spear phishing.
Phishing is one of the ways a careless employee can expose sensitive information. Phishing is the luring of an internet user to reveal sensitive details on a counterfeit web page or email that is made to look like it is legitimate.
A creative way to educate your employees: Create a presentation for employees on spotting a phishing email and share it. Then test them with your own fake phishing emails. If they fall for it and click through, bring them to a site that has a list of your organization’s “heroes”—the people that did not click through, but instead sent the email to your security team since they suspected it was phishing.
2) Using unsecured networks.
Using personal devices and company devices on unknown networks is very risky. The risk is much higher with a network provided by or offered in public places, like a café or an airport. Data may not be encrypted in these networks and could easily be intercepted, then stolen. Login details can be exposed when there is an attempt to access emails or social media on a public network. Viruses and malware are also frequently distributed over a public network.
A creative way to educate your employees: Provide video training for employees on insecure networks and then set up a spoofing one in your office. The people that connect to the spoofing network get a pop-up window with a 3-minute video on unsecured networks then prompts them to connect to the real network.
3) Using the same password on multiple sites.
Unfortunately, most employees use the same or similar passwords for work and personal devices. By using the same password on personal accounts, which are often also less-secure, they risk exposing their employer to threats. Password reuse means an attacker can obtain credentials from one website and then use it to gain access to that user’s account on another website. Some employees will even use their company email accounts to join personal-related forums. Many online forums are free and someone’s side hobby. Because they are not a paid service, they are not patched for security flaws frequently. Additionally, they often do not have adequate security to protect their login credentials, so this is yet another threat to the employer.
A creative way to educate your employees: Train your employees on the dangers of password reuse, especially between corporate and personal accounts. Install a compromised credential screening tool if you host any online customer or user accounts. Use an Active Directory password screening tool that prevents your employees from reusing compromised passwords.
4) Not performing system updates and upgrades.
It is necessary to keep personal and work devices up to date as this provides security patches that will block cyber attackers from exploiting vulnerabilities in the device. Many employees do not keep up with updates and do not understand the importance of them.
A creative way to educate your employees: Give each department lists of companies that have been breached because of unpatched systems by the department and by the tool. Many of these lists are available online, and it is eye-opening for employees to see that other companies have been vulnerable to a breach because of an un-patched tool that they are using. You will see a bunch of updates happen soon after that.
5) Accidental installation of malicious apps.
Employees might get tricked into downloading and installing an application or extension with the sole aim of using their productive features for free, but may contain malware which is capable of exposing information on the device to threats.
A creative way to educate your employees: Make a video showing your employees a real-life example of installing a malicious app and what the experience is afterwards. Once you see what happens to someone else’s device, you will be more cautious.
6) Using unsecured data storage.
Sensitive data should not be stored on devices or within unsecured storage sites. Depending on the data, it could be a significant threat if it falls into the wrong hands. An employee may lose possession of an external device that contains sensitive company data. London’s Heathrow airport, for example, was fined £120,000 for losing a USB drive, which contained confidential information that should have never have been stored on a USB drive in the first place.
A creative way to educate your employees: There are a plethora of real-life examples of unsecured data storage breaches in the news. However, it is not just unsecured S3 buckets or plain text PII storage. It can be sensitive data on spreadsheets on an unsecured laptop, improper usage of USBs, etc. Test your employees and publish the results. Leave some USBs sitting in a conference room and monitor how many people use them or alert security. Upload a PPT on the USB that outlines why data storage is so important and to stop putting random USBs into their computers.
7) Leaving information and devices laying around.
Some habits are still seen as trivial by employees, such as leaving a work computer unlocked and unattended. Leaving unsecured devices unattended is a common habit, and over 25% of workers admit they do this often. Unlocked and unattended computers and devices are a natural entry point for a cybercriminal. Leaving out documents and other written communications can have the same issue.
A creative way to educate your employees: You can train your employees by leaving dollars out around the office in unattended locations. Put sticky-notes on the back that explains that leaving your devices laying around is like leaving money sitting out on a table. Someone is going to take it. Another creative security training team we work with even “stole” all the devices and paperwork that was left unattended in an office and held it hostage. Then they required a quick and comical 3-minute online security training video for the employee to get it back.
8) Lax Bring Your Own Device (BYOD) habits.
With the advent of new technologies, employees can take work home on their mobile devices and tablets. Not setting a passcode or biometrics lock on a mobile phone or tablet is a substantial risk. As so many employees access company data on their phones, this also puts the organization at risk. Mobile technology has increased the productivity of employees with the consent of the company; however, it poses some of the following risks:
- Data leakage: employees can take work to places that do not have adequate security and can pose a threat to data. There are countless stories about information stolen by fellow passengers on a plane.
- Device loss: employees can lose their device, which may improperly contain sensitive information that someone can take.
- Hacking and Malware: Personal devices may be vulnerable to hacking and malware, part of which was outlined above.
A creative way to educate your employees: Train your employees on security for different devices because most people are still very lax when it comes to mobile phone security. If they access any company data or applications for their mobile devices, deploy a mandatory MDM security solution. Set a requirement for a passcode or biometric locks. There are a lot of great videos on YouTube showing how mobile phones can be hacked and just because it is BYOD, that doesn’t mean it needs to be less secure.
9) Weak employee cybersecurity when remote.
Many US-based organizations allow employees to work remotely from home. While working from home is considered the future of work, it poses similar risks as a BYOD policy. Many people do not have robust home wi-fi security, and they do not always run their corporate VPN when online at home.
Creative ways to educate your employees: Train your employees on home-based security and VPNs if they work remotely. Remind them that IoT devices and guests need to be on separate networks. Many family members and friends may have viruses and malware on their laptops, so it is essential for them to use a distinct guest network that is not associated with any network you apply for work purposes. One company we work with has a lot of distributed employees and small offices around the world. Just like the office safety volunteers that help employees in the case of a fire, they have a designated cybersecurity volunteer in each office to support the local employees to understand cybersecurity. For the remote employees, they had virtual cybersecurity volunteers that would reach out to remote employees on a quarterly basis and host informal remote cybersecurity training.
10) Using default admin passwords.
Default passwords are an easy target for bad actors because worms have been built to seek out systems that leverage the default credentials. There is a whole dark web exchange for default passwords. Make it a corporate policy to change default passwords immediately.
A creative way to educate your employees: This is another area where testing is hard, so videotape some examples of how a bad actor can penetrate other sensitive systems through gaining access through an IoT device. Alternatively, share some of the articles on default password attacks, such as the attack on an HVAC system or one of the numerous attacks on printers.
11) Using weak passwords, especially admin passwords.
44% of employees admit to having insecure passwords at work, which makes it easy for an intended attacker to break such a password. Use an Active Directory password screening tool that prevents your employees from using compromised passwords or bad passwords that are commonly found in cracking dictionaries or password blacklists.
A creative way to educate your employees: Most people think their password is strong and secure. There are plenty of online tools that you can use to demonstrate good or bad passwords. These tools use secure APIs to access a backend password database and password blacklist but we recommend that people not use their real passwords. One customer of Enzoic ran a contest at a set time for a week for employees to make up passwords that they think would be secure. Each day there was a new guideline on character length and special characters. The week built up to the final day and what would be most secure- a long passphrase. But the employees also got to use the link above to test out what would be secure. Employees who submitted a secure password first won a prize and it was a good demonstration to everyone about strong and weak passwords and passphrases.
Summary
These are all significant threats to employers, and these are just some simple examples of how to educate employees. These examples may not be appropriate for every environment. We have heard creative things from our customers on how they are trying to reduce insider threats and wanted to share some of them.
Our key point is that organizations need to educate their employees on information security, and one effective way to do that is to make it interactive and give real-life examples. Give them real-life experiences of how some of these threats work and what the fallout can be for them. Make videos with other real employees to help them relate. Most employees care about their job and don’t want to create issues for their employers but are unaware of the threat they unknowingly bring into the business. It is important to take employee cybersecurity seriously.
source securityboulevard
Industry: Cyber Security
Latest Jobs
-
- Account Manager - IT Services
- Germany
- €90000 plus OTE and Car
-
Are you a deal closer with a hunter mindset? Do you know how to uncover business pain points, and turn them into long-term digital transformation partnerships? Our Client are growing their sales force across Germany and looking for an ambitious, straight-talking Account Manager to take the lead on new client acquisition. You’ll focus on mid-sized to large enterprises across Germany helping to shape their digital future with tailored IT solutions in Workplace, Cloud, and Security. • Drive Growth: Own the full sales cycle for new business across your region. • Solution Sell: Build bespoke offers in Security, Digital Workplace and Cloud solutions • Build Relationships: Establish a solid pipeline through smart prospecting, marketing-driven leads, and your own network. • Represent a brand known for trust, delivery, and tech excellence—with 4,000 employees globally and a growing team within Germany. What You Bring • Proven new logo sales experience in the IT services space (not hardware!) • Deep knowledge in one or more of: Cybersecurity, Digital Workplace, or Cloud • Confidence to lead enterprise deals and pitch directly to senior stakeholders • Fluent German and good English skills Sind Sie ein Abschlussprofi mit Hunter-Mentalität? Wissen Sie, wie man geschäftliche Pain Points identifiziert und in langfristige Partnerschaften zur digitalen Transformation verwandelt? Unser Kunde baut derzeit sein Vertriebsteam in ganz Deutschland aus und sucht eine ambitionierte, ehrliche Persönlichkeit als Account Manager, die den Lead bei der Neukundengewinnung übernimmt. Ihr Fokus liegt auf mittelständischen bis großen Unternehmen in Deutschland, denen Sie mit maßgeschneiderten IT-Lösungen in den Bereichen Workplace, Cloud und Security den Weg in die digitale Zukunft ebnen. Ihre Aufgaben • Wachstum vorantreiben: Verantwortung für den gesamten Vertriebszyklus im Neugeschäft Ihrer Region. • Lösungsorientierter Vertrieb: Entwicklung individueller Angebote in den Bereichen Security, Digital Workplace und Cloud-Lösungen. • Beziehungen aufbauen: Aufbau einer stabilen Pipeline durch gezielte Ansprache, marketinggenerierte Leads und Ihr eigenes Netzwerk. • Marke repräsentieren: Werden Sie Teil eines Unternehmens mit 4.000 Mitarbeitenden weltweit und einem stark wachsenden Team in Deutschland – bekannt für Vertrauen, Verlässlichkeit und technologische Exzellenz. Was Sie mitbringen • Nachgewiesene Erfahrung in der Neukundenakquise im Bereich IT-Services (kein Hardwarevertrieb!) • Fundiertes Wissen in mindestens einem der Bereiche: Cybersecurity, Digital Workplace oder Cloud • Selbstbewusstes Auftreten im Umgang mit Enterprise-Deals und Entscheidungsträgern auf Top-Level • Verhandlungssichere Deutschkenntnisse und gute Englischkenntnisse
-
- Senior SOC Analyst Level 3. Microsoft Security stack | Ability to achieve SC Clearance
- London
- To attract the right person
-
Job Title: Senior SOC Analyst Level 3. Microsoft Security stack | Ability to achieve SC Clearance Location: Hybrid remote | London / Berkshire Overview: Senior SOC Analyst Level 3 to join a specialist Managed Security Services business. You will be responsible for advanced threat hunting / triage, incident response etc with a strong focus on the Microsoft Security Stack. Key Responsibilities: Lead and resolve complex security incidents / escalations Conduct advanced threat hunting using the Microsoft Security Stack. Build, optimise and maintain workbooks, rules, analytics etc. Correlate data across Microsoft 365 Defender, Azure Defender and Sentinel. Perform root cause analysis and post-incident reporting. Aid in mentoring and upskilling Level 1 and 2 SOC analysts. Required Skills & Experience: The ability to achieve UK Security Clearance (SC) – existing clearance ideal. (Sorry no visa applications) Current experience working with a SOC environment Microsoft Sentinel: Development and tuning of custom analytic rules. Workbook creation and dashboarding. Automation using Playbooks and SOAR integration. Kusto Query Language (KQL): Writing complex, efficient queries for advanced threat hunting and detection. Correlating data across key tables (e.g., SignInLogs, SecurityEvent, OfficeActivity, DeviceEvents). Developing custom detection rules, optimising performance, and reducing false positives. Supporting Sentinel Workbooks, Alerts, and Playbooks through advanced KQL use. Deep understanding of incident response, threat intelligence and adversary techniques (MITRE ATT&CK framework). Strong knowledge of cloud and hybrid security, particularly within Azure. Additional Requirements: Must hold or be eligible to achieve a minimum of Security Clearance (SC) level. Nice to have certifications (e.g., SC-200, AZ-500, GIAC) are desirable. Strong problem-solving and analytical skills. Excellent communication for clear documentation and team collaboration. Please follow Wheaton’s Law.
-
- New Business Sales Hunter | Cyber Security (UK Based)
- London
- To attract the right person
-
New Business Sales Hunter needed | Cybersecurity (UK Based) Are you looking for uncapped commission, a fun and sociable team that drives success with no politics? If so...You must Be UK based - and able to achieve UK SC clearance. (sorry no visas) Have a demonstrable history of sales success in Cyber Security Follow Weatons law. The role: Seeking a proven New Business Sales Hunter to join an established, successful and expanding cyber security firm. New business focused - £1m GP year one target (ramped). Sell a blend of security services & professional services. Ideal experience selling some or all of the following Cyber strategy & risk management Managed detection & response (MDR) Penetration testing Compliance & audit support You: Strong cybersecurity/IT services sales track record. Confident selling into mid-market & enterprise. UK based - London commutable 1x per week. Hunter mindset, full sales cycle ownership. Don't just send an email to apply give me a call on 07884666351
-
- CyberArk Architect
- London
- Upto £110,000 plus bonus and benefits
-
Are you ready to lead from the front and drive innovation in the Identity & Access Management (IAM) space? We’re looking for a seasoned CyberArk Architect who has CDE-CPC ideally or experience with privilege Cloud, someone who can lead with vision, execute with precision, and inspire teams to deliver excellence. As a key leader in our organisation, you’ll bring your strong business acumen and a technology-focused, innovative mindset to the table. You’ll be driving strategic initiatives, shaping transformation programs, and empowering teams to think big and deliver even bigger. Acting as a subject matter expert in CyberArk Leading strategic transformations in: Identity Governance Privileged Access Management (PAM) Access Management Customer Identity and Access Management (CIAM) Building and maintaining strong, collaborative relationships within the team Communicating clearly and confidently — both written and verbal — to deliver updates, raise potential issues, and share insights If you are interested in the above position we are looking for people with: deep expertise and a successful track record in IAM strategy, delivery, or assurance with CyberArk Hold relevant certifications such as CDE in Privileged Cloud or Guardian Have experience in a client-facing role (preferred, but not essential) Thrive in a hybrid working environment and are available to work from our or client London office three days a week Lead with clarity, communicate with impact, and adapt quickly to changing priorities