Common Workplace Cybersecurity Mistakes and How to Prevent Them

It’s become common knowledge among business professionals that as our world grows increasingly digitally connected, a major priority of most organizations will be cybersecurity. This is for good reason: as early as 2020, it was forecast that cybercrime would cost the world around $10.5 trillion annually by 2025. Given the onset of the pandemic and the resulting necessity of the remote workplace, it’s probably safe to update that statistic to an even higher figure.

One would hope that given the current circumstances, workplace cybersecurity would be tighter than ever, but that is not the case, based on actual data. Employee-caused errors/security lapses are the common element in most successful attacks on their workplaces. Respondents to a recent survey reported that roughly 36% of employees made significant mistakes at work that resulted in a complete compromise of their organization’s network, and 26% of respondents reported that people lost their jobs in the past year after compromising their company’s security.

Email-related errors are a frequent culprit

Many security lapses involve email-related errors. The survey found that employees sent four emails to the wrong person every month. This frequently happens because they didn’t double check the name that was auto-filled in the To: line before sending it (say, for example, you want to send an email to Jason Smith. Try entering “Ja” and see how many names that start with “Ja” pop up from both inside and outside your company. How many are Jason but with a different last name?). Close to 30% of survey respondents said their company lost a client because of the error. This shows carelessness that reflects poorly on the sender and their company. And from a security point of view, it also risks sharing confidential information with a competitor or vendor or even with a hacker that sent a phishing email whose email address still lurks in their address book.
It is critical to educate staff on the importance of taking a few extra seconds to check the names in the To: and CC: lines before they click Send. It can mean the difference between keeping and losing a client and spreading or securing proprietary company information.

Phishing and other social engineering scams

The vast majority (90%) of data breaches in the workplace are a result of phishing scams, according to data collected by the FBI. Furthermore, the Bureau predicts that phishing attacks are likely to increase by a staggering 400%. Employees who click on links or download attachments in phishing emails expose their companies to devastating ransomware and other types of malware attacks. One of the best ways to prevent these attacks is by providing regular company-wide security awareness training to help staff recognize these scams.

You can also conduct ad hoc cybersecurity testing for employees. Send out random, realistic-looking phishing emails that look like they are coming from the human resources or accounting department, CEO, or other trusted sources. Then track who does and doesn’t download attachments or click on embedded links and who notifies your IT service desk about the email. This last point is key: educate your staff about how to report suspicious emails by posting the appropriate IT email address and phone numbers on a company intranet and by emailing regular reminders. Adding a phishing reporting button to your email system’s access toolbar is another way to simplify employee reporting.

Unfortunately, most employees, even if they realize they accidentally caused a breach or data leak, will fail to report that mistake to a superior because they are afraid of facing repercussions. This failure is one of the most direct ways that employees contribute to compromised security in their workplace.

So as part of this security training and reporting process, create room for employees to report their errors without fear of losing their jobs. The sooner a mistake is reported, the faster any danger it causes can be mitigated. It also will give your IT team or other responsible department the heads up to look for signs of attack or system access and help them prepare to deal with it.

Neglecting software updates

Updating company software with manufacturer-provided updates and/or patches to correct security vulnerabilities and exploitable bugs is a vitally important but frequently neglected step. Attackers keep on top of the latest reports about known vulnerabilities in popular software, so IT departments need to stay ahead of them by protecting company systems and installing the fixes.
The National Institute of Standards and Technology (NIST) advises setting devices, including any mobile devices that access the corporate system, to automatically update operating system software and any other programs. Staff working remotely should also regularly apply security updates to their routers to protect against external threats—it’s also how they are accessing company data. Make sure your remote employees know how to update routers and company-provided devices, and send reminders about how and when to do so.

Unauthorized system access

Because phishing attacks and other social engineering campaigns are so often successful, companies need to protect their networks from access by unauthorized users. Set up multifactor authentication (MFA) on all computer systems and networks. This requires employees to use passwords that they must regularly update as well as undergo an additional identity authentication step, such as entering a code sent to a separate device, before they are allowed entry. This prevents hackers from using compromised passwords to log in to your system.

It’s when you’re attacked, not if

These steps—educating staff on proper email procedures; instituting company-wide security awareness training that includes phishing exercises, clearly defined ways to report an attempt, and ways for employees to admit they may have committed a security lapse; keeping software updated and patched; and requiring MFA—are only four of many ways to prevent cybersecurity workplace mistakes. Others include:

• Securing all mobile devices that have access to corporate systems
• Investing in tools such as firewalls, antivirus software, and data encryption
• Always backing up and duplicating data so you can retrieve it if/when you are subject to a ransomware attack
• Creating an incident response plan and training staff on how to follow it

Published June 30, 2023

Skip to content