Every recent study of security vulnerabilities has come to the same conclusion: The human factor is a greater risk to organizations than flaws in technology.
And that, most experts agree, is in large measure due to a lack of security awareness -- people are either unaware of increasingly sophisticated threats, or they get careless.
There is, of course, no such thing as 100% security. But it could be a lot better if workers at every level, in every organization, avoided the common security awareness mistakes listed below.
The list was generated with the help of several security experts, who also offered advice on how organizations can minimize or even eliminate them:
1. Falling for phishing: One of the most common mistakes. It can include clicking on malicious links or attachments in phishing emails, on social media sites like Facebook and Twitter or even "ads" on websites that look legitimate. Criminals have gotten much better at making them look authentic, as if they come from a friend, family member or major, established companies like those that ship products to your home.
The fix: Train employees -- regularly -- to be skeptical of everything, and to click only on links that they are certain have come from a trusted sender. Organizations should run their own "sting" operation, to see how many employees are fooled by an in-house phishing attack. It will raise the awareness of workers who fall for it.
David Monahan, research director, Security and Risk Management at Enterprise Management Associates, warns that even emails from what appear to be trusted friends or family members can be fake.
"Does it seem out of character for them? If so, don't click it," he said.
Also, any email that asks you to "verify" your credentials is likely malicious. If you think it is worth checking, call the company or go to its website.
Dave Frymier, CISO at Unisys, added that there are plenty of security awareness products on the market to help with training.
2. Unauthorized application or cloud use, known as shadow IT: Dan Lohrmann, chief strategist and CSO at Security Mentor, said this includes posting private, or uncontrolled, data to the cloud.
Frymier agrees. "This comes in a lot of forms," he said. "Anything from installing 'gotomypc' to buying cloud virtual machines and using them for corporate purposes. It amazes me how people can do these things without realizing the dangers."
The fix: "This For example, offer a reasonable cloud storage solution that is approved, rather than just saying no."
3. Weak or misused passwords: It doesn't take an expert to know that using a default or simple password is like leaving the company door unlocked. But misuse also includes using the same password for multiple sites and sharing them with coworkers.
"Because everything demands a password we tend to do a lot of credential duplication between our various sites," said Monahan. "It goes back to ease of use.
"But this is a critical and sometimes tragic error. Many crucial accounts are hacked because an attacker gets access to email or some other seemly innocuous account where users have reused their credentials with another far more sensitive account, such as banking or health care," he said.
The fix: Make it easier to manage multiple, complex passwords, to reduce the incentive to re-use them. Security and encryption guru and Co3 Systems CTO Bruce Schneier is among numerous experts who have recommended creating passwords by using the first letters of a phrase or sentence that is easy to remember, with a few numbers and/or symbols thrown in. He and others also recommend using a password manager -- there are a number available.
Two-factor authentication also improves security, especially for common apps such as Google Gmail or Facebook, experts say. So don't rely on a password alone.
Finally, don't share passwords with anybody -- that means anybody.
4. Remote insecurity: This is the common practice of transferring files between work and personal computers when working from home, or allowing family members to use a work device at home. Frymier said it can also include backing up corporate data to a third-party cloud service."
This not only exposes the company to malware, but Monahan said it also "leaves data and data residue -- data left post deletion that can be retrieved with proper tools -- on an unmanaged system."
Beyond that, it can expose the user to legal troubles. If there is a lawsuit that involves e-discovery and attorneys find that an employee had any of the data in question on a personal device, "they can subpoena your system and all that is on it for review and associated scrutiny," Monahan said.
The fix: It ought to be company policy -- one about which employees get regular reminders -- that there needs to be authorization for corporate apps or files to be used on personal devices.
This is an area where technology can help improve security, through rigorous encryption.
Lohrmann added that, "good identity management systems can control user access and provisioning -- who can do what and when -- and reduce the number of passwords needed to access applications."
5. Disabling security controls: This is usually done by users with administrative privileges, to make things easier for employees to use, but it can have catastrophic consequences. Obviously, if a security measure is disabled, it offers no protection.
"This is huge," Monahan said. "The ongoing battle between security and usability is one of the biggest rubs."
The fix: Among other things, organizations should forbid web surfing from administrative accounts. If an employee does fall victim to malware, it will be much less likely to get the level of permission it needs to install or at least persist.
Frymier said these days this is a problem any IT department should be able to prevent. "Most things in the anti-virus/malware and authentication world can be locked down so they can't be disabled," he said.
6. Clueless social networking: The advantage of social networking is that it allows the modern workforce to be much more collaborative and productive. But, among obvious risks is that confidential corporate information gets posted on networking sites or in the cloud, where it is beyond the control, or the protection, of the organization. Another is that employees fall for increasingly sophisticated social engineering attacks.
The fix: Regular training, which needs to go beyond lectures. As CSO has reported in the past, good training is not an event; it is a process that uses real-world examples.
7. Poor mobile security: Given the existing BYOD world, it is almost impossible to eliminate spillover between the personal and corporate. But there are millions of devices in the mobile workplace, being used in coffee shops, on mass transportation and other places with public Wi-Fi. Far too many of them are not even protected by rigorous encryption or good mobile device management (MDM). Even more are not even protected by a PIN.
The fix: Insist that employees have a PIN for their device. Teach them to be aware of their surroundings in public places -- coffee shops, airports, train stations, shopping malls and other areas where criminals can get personal or corporate information from something as low-tech as shoulder surfing. Make sure that corporate data is encrypted, end-to-end.
8. Too many privileges: "We see a lot of networks where some IT team have set up a shared account with high privileges," said Eye Firstenberg, vice president of research at LightCyber.
"This makes IT's job easier, but it's also makes monitoring misuse of those high-privileges credentials impossible," he said, adding that a similar problem is giving too many privileges to application accounts that are only supposed to be used by specialized software. "These accounts are especially susceptible because they have privileges, and are hard to monitor," he said."
The fix: "Accounts, especially privileged ones, should be assigned to individuals, not departments," said Firstenberg.
9. Failure to update or patch software: One of the most common security mistakes, mostly the result of the "can't be bothered" syndrome. The risk is obvious -- it leaves devices exposed to new threats, whose creators are actively seeking targets before their window of opportunity closes.
The fix: This is as obvious as the risk -- install updates as soon as they are available, or if that's impossible, create a reminder to do it as soon as possible. Most take less time to install than a trip to the water cooler.
In general, the answer to most "lack of awareness" problems is obvious -- better awareness.
Joe Ferrara, President and CEO of Wombat Security Technologies, said organizations, "can reduce their risk of security infections between 45% and 70% by implementing effective security awareness training programs that include assessments, education, reinforcement, and measurement."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.