As an IT manager in an SME, one of your top priorities is ensuring the security of your company’s data and systems. However, even with the best security measures in place, the actions of individual employees can pose a significant threat to your company’s cybersecurity. Yes, those who claim to be your work buddies are the very reason for giving you sleepless nights or being the cause of you getting pinged by your boss on a Saturday evening as you were just about to grab a pint at the pub.
We’re going to outline the top 10 worst cybersecurity habits that your teammates and maybe even you, may be guilty of, and what you can do to help them improve their habits and, in turn, keep you sane.
1. Using weak passwords
You might think that 12345678 is a cliché, but sadly it’s still used by many employees. Weak passwords are one of the easiest ways for hackers to gain access to your company’s systems and data. As an IT manager, you can encourage your team to use strong, complex passwords that are at least 12 characters long and contain a mix of upper and lowercase letters, numbers, and special characters. You can also implement password policies that require employees to change their passwords regularly and prohibit the use of common passwords. If all else fails, start a dedicated Slack channel for naming and shaming, there must be a plug-in that helps make a firework gif of their name and faux paux.
2. Sharing sensitive data
Sharing sensitive data over unsecured channels is a common mistake made by employees who may not understand the risks. Email, chat, and file sharing services are often unsecured, and using them to share sensitive data can expose the data to unauthorised access. To mitigate this risk, it’s important to encourage employees to use secure channels, such as encrypted email or file sharing services with password protection. An effective way to explain the risks is to use an analogy: sharing sensitive data on unsecured channels is like shouting your secrets in a public place. To illustrate this point to the non-believers, you could show a slide show of baby photos projected onto the wall in the break room that someone’s mum uploaded to Facebook.
3. Ignoring software updates
Ignoring Patch Tuesday is going to bite you in the butt one day, and while it feels like the updates are the devil’s work and cause more problems than they solve, software updates often contain important security patches that fix vulnerabilities that could be exploited by hackers. As an IT manager, you can ensure that all devices and software are up to date by implementing automated update processes and regularly reminding employees to install updates. Failure to abide by your rules and you can threaten to block TikTok and Instagram in the office, nobody still uses Facebook anymore and Musk has ruined Twitter so you’re good with those two as a threat.
4. Clicking on suspicious links
We’re not going to lie, phishing emails and links are becoming increasingly sophisticated. But clicking on a suspicious link is like playing Russian roulette with your company’s data. To help your colleagues avoid this, provide cybersecurity training that teaches them how to identify and report phishing attempts. And if they still fall for it, maybe consider hiring a fake Nigerian prince to run around accounts and teach them a lesson.
5. Ignoring two-factor authentication
We get it, entering a code in addition to a password can be annoying. But two-factor authentication is an extra layer of security that makes it more difficult for hackers to gain access. As an IT manager, you can require the use of two-factor authentication for all company accounts. And if they still resist, ask the CEO to take the tea and coffee hostage or if you’re in a fancy office, the Kombucha until they all get on board.
6. Neglecting endpoint protection
Neglecting endpoint protection is a huge risk for your company’s IT infrastructure. Ensure that all endpoints have up-to-date security software, firewalls, and intrusion prevention systems. Monitor these measures regularly for potential vulnerabilities. Failure to do so can lead to a devastating security breach that compromises sensitive company data and exposes the company to significant financial and reputational damage. We have no suggestions for suitable punishments on this one; it’s probably on you.
7. Using public Wi-Fi networks
Public Wi-Fi networks are often unsecured, which means that any data transmitted over the network could potentially be intercepted by hackers. To help your colleagues avoid this risk when they “escape home” to go to Starbucks on their WFH days, provide a secure VPN (virtual private network) for remote access to company systems. And if they still insist on using public Wi-Fi, have their device play annoying songs on loop, and as loudly as possible, once a non-company network is detected.
8. Leaving devices unattended
Common sense, I hear you cry, but when they’re not paying for the device, do you think they’re watching it while they run around collecting all the swag at that conference the CEO forced them to attend? Public places can make devices an easy target for theft or unauthorised access. As an IT manager, you can implement policies that require employees to lock their devices when they step away from them. Any culprits “forgetting” will receive a glitter bomb package to their home address.
9. Using personal devices for work
Look, you get it, everybody loves their phone. It’s with them all the time, it knows their secrets, and it even talks to them (in a non-creepy way, we hope). But just because it’s their constant companion doesn’t mean it should be used for work too. Using personal devices for work can be a major security risk if the devices aren’t properly secured, or if they’re lost or stolen. It’s like inviting a stranger into your home and hoping they won’t steal your TV (or in this case, your company’s sensitive data). As an IT manager, you can implement policies that require employees to use company-issued devices for work purposes. Any detractors (careful, it’s probably your boss) will receive the “car key sellotaped to the roof” treatment. Let them work to get home at 5pm on a Friday.
All joking aside, we had fun writing the wish list of punishments for failure to abide by the rules, but the one rule is that you need employees to trust and feel they can admit mistakes to you. This is key for number 10 on the list.
10. Failing to report security incidents
Finally, one of the worst cybersecurity habits an employee can have is failing to report security incidents. Whether it’s a lost laptop, a phishing email, or a suspected data breach, employees need to be vigilant and report any incidents to their IT manager immediately (that’s you, by the way). Failure to do so could result in serious consequences for the company, including regulatory fines, lost business, and damage to the company’s reputation. As an IT manager, you can encourage a culture of transparency and openness when it comes to cybersecurity incidents and ensure that employees know how to report incidents quickly and effectively.
You might just want to pull out that stress ball, say a few mantras, Netflix and chill, or whatever your calm-down pill might be for all rule-breaking. We do recommend signing up for a free trial of Premium in HighGround.io (forever free available) for all your Cyber Security management needs.
HighGround.io makes cybersecurity easy for small and medium-sized businesses by enabling IT managers without specialised cyber expertise to achieve cyber resilience effortlessly. Our platform is user-friendly, action-orientated and facilitates effective communication with partners and executives using KPIs tailored to their technical proficiency.