10 Common Cybersecurity Mistakes

Introduction

Do you feel overwhelmed as soon as you think about cybersecurity? You're not the only one. Although a comprehensive cybersecurity plan might require professional help, here are the ten most common cybersecurity mistakes you should avoid. We organized them into two categories: Business Mistakes and Employees Mistakes.

BUSINESS LEVEL

1. Forgetting that every team member plays a role in cybersecurity

Reports repeatedly proved that many data breaches start when one employee makes a wrong decision. The 2022 Verizon Data Breach Investigations Report states, "The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether using stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a huge role in incidents and breaches alike."

Breaches could be due to employees opening an email attachment that unleashes malware throughout your network or poor password management, with passwords tremendously easy to crack.

Since your non-tech employees might not be aware of cyber security potential threats, they represent a significant vulnerability that criminals can exploit. Hence, training them about cybersecurity, identifying potential risks, and monitoring and recognizing email insecurity is vital.

2. Believing breaches are only big events.

The time between a cyber-attack and the moment organizations realize they have been infected extends. Why is that so? Cyber-attacks can sometimes be hard to spot, increasing difficulty in telling exactly what was compromised. How to avoid this? Continuous and comprehensive monitoring is the best way to detect and deter a breach. XDR solutions can help you monitor and report all anomalies to one central point for analysis and inspection.

Make sure you know what you should protect and that you're doing it following these few steps:

1. Ensure the entire team recognizes why cybersecurity is vital to your organization.
2. Do your research or employ the help of an IT services company to develop a list of different types of cybersecurity threats and vulnerabilities.
3. Describe the types of information that must be protected due to federal cyber and privacy law requirements and the consequences of not adequately protecting such data. 
4. Describe the best practices you can use to reduce cybersecurity risks for your business. 

3. Relying on anti-virus solutions

Antivirus solutions have been how we used to protect our devices, but technology now offers more reactive approaches to cybersecurity, named EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response). EDR/XDR solutions provide an additional layer of protection to your organization.

Due to the increasing number of new malware samples seen daily, it is getting more difficult for any human team of signature writers to keep up with, especially since the creation of malware with changing characteristics, known as polymorphic malware.

Contrary to Antivirus solutions, EDR and XDR don't focus on defined threats but on detecting unexpected, unusual, and unwanted activity patterns and providing a response. EDR and XDR solutions are automatic and proactive, the main difference between the two being the protected area. EDR focuses on endpoint security, while XDR focuses on the endpoint, cloud infrastructure, mobile devices, and more.

4. Procrastinating on Software Updates (for programs like Windows, Java, Flash, and Office) 

Updating software is often a pain, especially when it is a significant update that involves staff training. We admit that. However, big security holes in popular programs can leave you vulnerable to attack. Software updates are essential to maintain a healthy and secure network. 

Hackers spend a lot of time searching for security vulnerabilities that give them access to accounts and networks. Dark Web sites and forums make it easy for criminals to trade information and coordinate large attacks.

When software developers learn about vulnerabilities, they start looking for ways to patch the hole. The patches get released as software updates, and you put yourself at risk if you don't update your software as soon as the latest patch becomes available. Criminals take advantage of compromised code before developers release patches, so you're already behind. 

5. Your Business Plan Doesn't Include a Business Continuity and Disaster Recovery Plan

When encountering difficulties and emergencies, being prepared can decide a business's success or failure. Business Continuity is a business's readiness to maintain critical functions after an emergency or disruption.

A great Business Continuity Plan can help keep your organization active even through emergencies and disasters. However, designing a comprehensive Disaster Recovery Strategy is vital to address issues afterward.

Disaster recovery refers to an organization's method of regaining access and functionality to its IT infrastructure after natural disasters, cyber-attacks, etc.

What is the best way to design an efficient Disaster Recovery Strategy? Well, it depends on your IT department structure:

1. If you have an entire IT department available in your organization, your team should be able to design it using a Disaster Recovery Plan template.
2. If you only have one IT team member or no IT team, it might be better to outsource this process with an MSP (Managed Services Provider). At LENET, we can help you to design a comprehensive technology-related business continuity plan and assist you in disaster recovery.

6. Not Backing up Your Data

Losing critical business files, financial information, or customer data usually has tremendous repercussions. Not only financially but also in terms of time, lost customers, and reputation. It is hence crucial for every organization to protect its data. 

Always make regular computer backups and always test those backups to ensure you can restore files. Does it sound complicated? An easy way to do it is by using encrypted backup software. This type of software automatically backups up your files, securely stores multiple copies, and enables one-click restore of any file/folder.

EMPLOYEES MISTAKES 

1. Using Public WiFi

Free Wi-Fi is tempting, but be sure that you consider who is providing the connection. Public connections at the local coffee shop are usually unsecured and leave your machine open to outsiders. While these networks provide convenience, there are risks to be aware of.

Hackers use public Wi-Fi in different ways:

• Man-in-the-Middle (MITM) attack
• Session hijacking
• Shoulder-surfing
• Acquire airborne information
• Creating fake Wi-Fi connections

Want to pay bills or check on your tax return? Do it from home, where you know your network is safe.

2. Answering Phishing Emails

Phishing (pronounced: fishing) is an attack that attempts to steal the target's money (or identity) by getting them to reveal personal information. As phishing attacks are rising, it is essential to learn how to spot and report them.

You don't know how to recognize phishing emails? Here is a list of emails you should be cautious about:

1. Emails Demanding Urgent Action
2. Inconsistencies in Email Addresses, Links & Domain Names
3. Emails containing Suspicious Attachments
4. Emails Requesting Login Credentials, Payment Information, and other Sensitive Data
   

If you are often unsure whether an email is a phishing email, learn how to verify the legitimacy of an email.

3. Poor Password Management 

Passwords for logging into any website should contain a mix of letters, numbers, and special characters – as well as be different for each website you log into. It can be a pain to remember all of these passwords but ask yourself which is more of a pain – remembering these or recovering stolen personal information.

For enhanced security:

• Never use the Same Password without Two-Factor Authentication.

This so-called "daisy chaining" allows all your accounts to be compromised by breaking into just one. An easy solution is having multiple passwords for your various accounts and changing and trying out new variations every six months. Remembering a bunch of new passwords every other few months might sound like a headache, but you can avoid this pain by using a password manager. 

• Use Strong, Long, and Secure Passwords

Using passwords that are not complex enough exposes you to the risk of brute-force attacks. It is an attack when an attacker is using software to guess the password for your account, trying all possible combinations. Short and simple passwords are simpler to be cracked since they involve fewer possible combinations. 

4. Leaving Your Webcam Open to Attack

A particular type of malware gives attackers remote access to our computers and the ability to enable our webcam. While most of us are aware of this risk and hence decide to place a piece of tape over the camera, it might not be enough to protect your privacy. Why is that? It doesn't block audio. This is how hackers get access to sensitive data and information, so make sure you know how to disable it.

CONCLUSION

To err is human. However, making simple cybersecurity mistakes may cost you or your business. Cyber-attacks stories come out every day. Ensure that you avoid the above mistakes to tackle potential threats proactively.

The Department of Homeland Security released a list of cybersecurity performance goals and metrics designed by the Cybersecurity & Infrastructure Security Agency (CISA) to help drive cybersecurity best practices across the private sector. The CISA's document includes a "user-friendly" worksheet to clarify and facilitate your cybersecurity strategy.

However, as it can be difficult for Organizations to know where to start and how to allocate resources, a good alternative is to work with an MSP (Managed Services Provider), who can ensure your cybersecurity strategy and deployment is on point. 

LENET is a leading provider of cybersecurity services here to help you. Book a FREE cybersecurity audit to learn more.