InfoSec Insider

Top Six Security Bad Habits, and How to Break Them

Shrav Mehta, CEO, Secureframe, outlines the top six bad habits security teams need to break to prevent costly breaches, ransomware attacks and prevent phishing-based endpoint attacks.

Cybercrime is on the rise, and attacks are getting faster, more nuanced and increasingly sophisticated. The number of cyberattack-related data breaches rose 27 percent in 2021 — an upward trend that shows no signs of slowing down.

Bad security habits, such as using the same password more than once may seem innocuous, but unchecked bad behavior or security habits can leave your organization open to a devastating breach.

Bad security habits cost businesses millions of dollars. Consider this, the average cost of a data breach reached $4.24 million per incident in 2021, the highest in 17 years.

If a hacker compromises your servers and steals confidential data, it could spell the end of your company. This list covers 6 of the most common bad security habits and how to fix them so you can protect your data and prevent malicious attacks.

1. Poor Password Hygiene

More than 60 percent of all data breaches involve stolen or weak credentials. Using the same password, sharing passwords, writing passwords down on sticky notes — as security leaders, we’ve seen the same terrible password practices for years. Don’t make attackers’ jobs easier!

Break the habit: Establish a company-wide password policy, use a password manager, and enable multi-factor authentication to reduce the risk of unauthorized account access. Your password policy should include guidelines on creating strong passwords, how often passwords should be updated, and instructions on how to securely share passwords between employees.

2. Convoluted Processes and Policies

From onboarding checklists to privacy policies, these documents should reflect how your team gets work done and be used during daily work — not drafted and then forgotten in a folder somewhere. You must think about these policies regularly and make improvements based on the challenges and risks observed.

Break the habit: Establish periodic policy reviews and acceptances for your team. Proactively ask for feedback to ensure the policies and processes reflect how your team actually gets work done and to garner company-wide buy-in.

3. Outdated Software and Non-secure Devices

Remote work has been a growing trend for years, but the last two years have seen a seismic shift in where, when, and how teams work together. For all its benefits, the rise of work from home also brings significant security challenges.

More people are using unsecured Wi-Fi, mixing work and personal devices, skipping regular data backups and software updates, etc. Being the weakest link that ultimately brings your company to its knees will not be an enjoyable experience.

Break the habit: Use a device management solution for automatic software updates and patches, establish a mobile device policy, and encourage staff only to use company devices and a secure VPN to access sensitive data.

4. Lack of an Internal Audit Program

Even if you’ve established appropriate security policies and procedures, you must treat them as living documents. Continuous testing and regular internal audits are essential to understanding how your security program is maturing (or not) and staying aware of emerging and escalating threats.

Break the habit: Create an internal audit program to review your security posture at least annually and identify opportunities for improvement. This will also ensure you stay aware of any changes to the threat landscape that you need to address.

5. Untrained Staff

Phishing and malware are some of the most common sources of security incidents, including ransomware! Train staff on security best practices regularly and ensure everyone knows security is a company-wide priority.

Break the habit: Conduct security awareness training at least annually. Randomly and periodically test your employees/users to ensure they stay aware of and follow best practices.

6. Complacency

Too many organizations believe that a breach or security incident won’t actually happen to them. Security and compliance is not just a concern for the IT department. Everyone across the organization — from the executive team and board of directors to the newest employee hire — should understand the threats facing the business and their roles and responsibilities in keeping customer and company data safe.

Break the habit: Make the effort to create a culture that prioritizes security and understands its importance. Ensure all employees understand their roles and responsibilities regarding keeping customer and business information safe and clearly communicate the benefits of following established policies and procedures.

Most security threats and risks are systemically preventable and can be addressed through common-sense approaches, continuous compliance testing, assessments, audits, and measurement. The more you can train your employees on these practical approaches, the more likely they will be able to successfully avoid a costly data breach or security incident.

Shrav Mehta, CEO, Secureframe, an automation compliance platform.


Suggested articles

Securing Your Move to the Hybrid Cloud

Infosec expert Rani Osnat lays out security challenges and offers hope for organizations migrating their IT stack to the private and public cloud environments.