Despite companies spending billions of dollars on information security technology, it turns out that the greatest threat to their security may be you -- their clueless employee.
Granted, employees' intentions are not always meant to be malicious, but, rather, it's often a case of boneheaded maneuvers, say security experts.
And employees, as a collective group, account for a wide swath of the confidential data loss at companies, according to a recent study. Of the 5,564 IT professionals queried in the Global IT Security Risks Survey by Kaspersky Lab and B2B International, 73% were affected by internal security incidents. It turns out that employees were the largest single group that created this confidential data loss, accounting for 42% of the incidents.
"It is staggering how often this happens," said Andrey Pozhogin, senior product marketing manager from Kaspersky, in reference to the frequency of employees creating this data loss.
Rob Sadowski, technology solutions director at RSA, the security division of storage titan EMC, noted, "End users are the front line of defense. The first stage of an attack is to gain a foothold in the organization. It's not to circumvent (the security system in place) but to gain access…Once access is gained, then the attack begins and it's off to the races and the threat spiders out."
And what are companies doing to educate their employees on security issues, given they are the first line of defense? An estimated 75% of companies with more than 100 employees have some sort of training, said Chester Wisneiwski, a senior security advisor at security firm Sophos. That training can range from selecting a complex password to an awareness of phishing attacks, which is when an attacker tries to lure a user to click on a link to a malicious website or download an attachment loaded with nefarious code, like software that will log a user's keystrokes.
Wisneiwski added that the larger the company, generally, the more extensive the training program. He added that the type of industry a company is in will also make a difference, noting even small companies in the tech sector usually have some form of security training.
That said, however, Wisneiwski noted, "A lawyer, an accountant, or someone in marketing will...never be computer nerds." As a result, here are 10 boneheaded moves to avoid to reduce your chances of becoming the weakest security link at your company. Are you guilty of any of these missteps? Did we leave any out? What are you doing at your company to minimize potential security risks? Let us know in the comments.Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio