Sign up to our newsletter
When it comes to data security, attackers continue to exploit the biggest weakness of all – people. We look at 11 security mistakes humans continue to make on a daily basis.
1. Poor patching
The sad reality is that most data breaches owe not only to a human mistake, like clicking on a malicious link, but also to a computer system that is running on outdated software.
For instance, attackers routinely exploit flaws in Microsoft Office and Adobe Player that have not been fixed, in order to find their way onto users’ PCs. Other more advanced attackers, will leverage so-called ‘zero-day’ flaws for which there is not yet a patch published.
Patch management remains a bane for many users, including enterprise system administrators, but the good news is that it is now getting easier. Microsoft is making Patch Tuesday a thing of the past with Windows while most mobile operating systems, including Android and iOS, now have an auto-update feature for mobile applications so users don’t have to do anything.
2. Too trustworthy
People are still too trusting in the digital world. We may have got better at ignoring unsolicited calls and text messages as well as salesmen at our front door, but we are still opening emails and links from people we don’t know.
Too often people open these emails and download attachments – some of which may have been weaponised with malware, or alternatively click to open shortened links on Twitter, LinkedIn or Facebook. Some of these sometimes redirect to compromised websites.
3. Reusing passwords
The biggest faux-pas computer users continue to make is weak and/or reused passwords, which can be cracked by attackers with brute force attacks.
Passwords are a pain to manage – one study revealed that, in the UK alone, the average person has passwords for 19 different accounts.
The rise of password managers and biometrics has alleviated some of these problems, but password security is likely to continue to be a problem for some users.
4. Oversharing on social media
Generations Y and Z are on Twitter, Facebook, Instagram and other social platforms on a daily basis, as well as WhatsApp, Viber and likeminded instant messaging services.
These younger generations are sharing almost every intricate detail of their lives online, leading to the possibility that this information is intercepted, stolen or simply sold onto nefarious actors.
Additionally, this information can be sold to third-party marketers, while cyber-criminals will likely use the same publicly-available information for social engineering attacks like phishing emails and links.
5. No security solutions
Anti-virus has changed and evolved in recent years, and its goal is to proactively detect and remove viruses, Trojans, worms and other types of malware in order to keep you safe.
Yet some people still don’t have a security solution, even though is one of the first line of defense together with ‘good practices’ and keeping systems up-to-date.
6. ‘It won’t happen to me’
One of the biggest problems people have with information security is not something they ignore, like patching or downloading a security solution, but rather the perception they are not the intended target.
Individuals and businesses continue to take the approach of ‘it won’t happen to me’, ignore essential security practises and thus express surprise when they lose data, money or information as a result of a hack.
7. Leaving devices unattended
A simple mistake many of us continue to make is leaving desktop computers or laptops unattended and unlocked. The same also applies to personal devices like smartphones and tablets.
The biggest risk of course is the theft of the device, but unlocked devices could also leave users exposed to data theft or ‘shoulder surfing’ spying.
8. Browsing on unsecured connections
We all demand free Wi-Fi anywhere we go, whether that’s so we can surf the web, check-in on Twitter or Facebook, buy products online, monitor our online banking or make a VoIP call.
But sometimes we connect to insecure and open Wi-Fi hotspots, like at coffee shops for example. This Wi-Fi is open, not password protected, and visits to unencrypted HTTP (those not HTTPS) websites can potentially allow for an attacker to conduct a Man-in-the-Middle (MiTM) attack to sniff all web traffic and steal information, like passwords for online banking. If you’re going to be dealing with sensitive materials online, it’s always best to always use your secure home WiFi connection.
9. Ignoring SSL certificate warnings
Ever visited a website only to be greeted by a security warning that it was an unsafe connection? You probably have at some point, and might well have continued onto that unsafe website.
This means that the SSL certificate is either invalid or has expired, making the connection unsafe and more likely to be compromised by a third-party.
Indeed, researchers at Carnegie Mellon University said back in 2009 that digital certificate warnings in web browsers are not an effective security measure, with many ignored. Google recently redesigned its security warnings after finding that Chrome users ignore 70% of warnings.
10. Downloading apps from third-parties
It’s less common now, but some smartphone and tablet owners do still download applications from third-party websites and application stores, and this represents a massive risk.
Some of these stores contain applications that are malicious or which appear legitimate, but which have in fact been repackaged with malicious code.
11. Rooting/Jailbreaking mobile devices
Some iOS and Android owners like to jailbreak/root their devices to free themselves from the shackles of Google and Apple respectively, but this too represents a security risk.
Jailbreaking or rooting devices can cause some apps to crash and behave unusually, whilst also making outside attacks much more likely. If it’s an iPhone or iPad you’re tampering with, jailbreaking will also void Apple’s warranty.
Author Editor, ESET