10 Outdated Workplace Cybersecurity Practices
- Cayley Wetzig, Head of Marketing Communications
The cybersecurity landscape is ever-changing. The more technology evolves, the more we have to keep up with the issue of cyber attacks and cybersecurity. We also need to keep our workforce continually updated on the evolving tools and processes used to protect our businesses.
So, what used to be perfectly good cyber security practices a decade ago may not be sufficient to protect us from a breach today; worse still, they could put you at greater risk of one.
Outdated Cybersecurity Practices to Avoid
While it’s true that some things never change, like the importance of identity, privilege, and asset management, these are only exceptions and not the rule. Most of the time, you may be surprised to find that you’re doing your business more harm than good by inadvertently following these outdated cyber security practices in the workplace.
1. Thinking Your Business is Too Small to Be a Target
Size doesn’t matter when it comes to cyber-attacks. You’re only fooling yourself if you think your business is too small a target to be worthwhile. The reality of the situation is that everyone can be a target, and small businesses are at even greater risk since the COVID-19 pandemic.
SMBs relying on their size to evade cyber-attacks may find themselves in deep trouble when one does occur. This is mainly due to the fact that most SMBs won’t have had the necessary infrastructure to deter or at least minimize the risk and impact, and the organization’s employees are unlikely to have had training to combat cyber attacks.
Ultimately, the outcomes for SMBs that fall victim to an attack are not good. According to Security Magazine, nearly two-thirds of small businesses that fall victim to a data breach will permanently close within 6 months.
2. Relying on Outdated Cybersecurity Tools
A perimeter firewall and antivirus software were the go-to tools for any cybersecurity expert back in the day. These days, however, this software has become only one part of a strong cybersecurity defense. In fact, 73% of hackers say that traditional firewalls and antiviruses are irrelevant or obsolete.
While these measures will certainly help to bolster your defenses against threats, they’re not enough in isolation. If you’re currently using these measures in isolation, you’ll want to identify your security weak points so that you can invest in more up-to-date technology, to either provide additional layers of security or replace them entirely.
3. Downloading Software from the Source
It used to be the case that our software would come on a CD from a retail store or directly from the manufacturer. These days, commercial apps (like Microsoft Office) have two sources. You either get them directly from the manufacturer or from an established app store.
Downloading apps directly from the manufacturer assures that the software is genuine. This also ensures that the software hasn’t been tampered with.
However, installing that same app from an established app store may have some advantages. You may find it easier to deal with compatibility issues. Also, you won’t have to look for app updates since they’ll be automatically available.
4. Ignoring Software Updates
Updating software can be a hassle. It can be both time-consuming and expensive — but ultimately worthwhile. This is because software updates often come with security updates for that software.
Attackers know of — and rely on — people’s aversion to software updates. Once they get information on a software update, they’ll then try to hack users between the time the update became available and the time users actually installed those updates.
An example can be seen in zero-day vulnerabilities, which are vulnerabilities that were previously unknown and have been exposed, but have not yet been fixed. Windows had four such vulnerabilities in 2022, which highlights the need to install patches as soon as they become available.
Ignoring these updates can allow hackers to exploit known vulnerabilities that should have already been addressed. When a zero-day vulnerability is found, hackers are usually not far behind with their exploits.
5. Frequently Changing Passwords the Wrong Way
Changing passwords regularly is sound advice when it comes to cybersecurity. An ever-changing password makes it harder for hackers to crack. However, this only works if you’re doing it correctly.
People required to change their passwords frequently tend to create easy-to-remember passwords. They don’t want to risk forgetting the new password that they’ve chosen, so they’ll make very simple changes. For example:
- “123456” may be changed to “1234567”
- “password” may be changed to “password123”
Seems unrealistic? It’s not – around 23 million people are still using the password “123456.” This, and variations of it, can be cracked by hacker’s software in under a second.
This tendency to rely on simpler (easily-hackable) passwords is usually due to burnout and the inconvenience of being locked out of a system that wants a new password. And when hard-to-remember passwords are created, they’re often forgotten because of the frequency that they’re being changed.
There are two ways around this problem: either train employees to change their passwords ONLY when they believe their account has been breached, or implement the use of a company-issued password manager.
6. Only Relying on Two-factor Authentication
On the topic of password security, it’s highly likely that you’ve used or are using two-factor authentication (2FA). It acts as a second layer of defense against would-be hackers who somehow gain access to your username and password.
Most companies implement one-time authorization codes (OTAC) to provide 2FA. The problem is that advanced phishing attacks actually target OTAC.
To prevent this, your company can opt for multi-factor authentication (MFA) instead. MFA usually involves factors such as knowledge (something only the user knows), possession (something only the user has), and inherence (something the user and only the user is).
7. Focusing Solely on Technology
A chain is only as strong as its weakest link. When it comes to cybersecurity, that weakest link is the human element. Locking down your cybersecurity with million-dollar tech won’t matter if your employees open the gate from the inside.
Verizon’s 2021 Data Breach Investigations Report highlights how in the two years between 2018 and 2020, incidents resulting from insider threats spiked by almost 50%. This includes incidents, for example, where an employee, former employee, or other person with premises access might deliberately – or unintentionally – reveal company data or give systems access to a malicious third party. Often, the breach is purely for personal financial or career gain.
Company cybersecurity has to be everyone’s concern. Everyone involved, from rank-and-file to the CEO, has to be aware of the best cybersecurity practices. Cybersecurity awareness training can help you to educate your employees on the risks of insider threats, among other cyber threats, plus the social engineering attacks that can often lead to them.
While software can help, you’ll still need comprehensive education for your workforce so that they understand the why behind each decision. You can limit employees’ access to sites, but they’ll bypass those prohibitions with a VPN if they don’t understand WHY certain websites are prohibited.
8. Reversing What Employees Learned at a Corporate Training Session
Let’s say your company does train its employees in cybersecurity; are you sure they’re using up-to-date practices? The problem with corporate training sessions is that employees can miss a lot of information simply by missing a single training session.
If you’re not clearly outlining changes to existing policies, some employees may not know about some of those changes and continue using outdated cyber practices. Employees may become confused or frustrated and instead resist the current policies if they weren’t made aware of such changes.
9. Making Everything too Complex
“Sometimes less is more.”
This is especially true in cybersecurity. A simpler infrastructure means implementing only the most important features. This can help ensure that new applications work well with the rest of the tools in your business.
This also carries through to your threat response procedure. Keeping things simple here means trained employees will find it easier to report attempted attacks once a possible threat has been identified.
Conclusion
As technology evolves, cyberattacks and cybersecurity are constantly looking to gain the upper hand over the other. What was perfectly good cybersecurity advice a decade ago may no longer apply today. Protect your company by avoiding the outdated cyber security practices and tools that could expose you to greater risk.
- Never think that your business is too small
- Bolster traditional cybersecurity software with the latest tools
- Consider downloading software from established app stores
- Never ignore software updates.
- Choose strong, secure passwords, and use a password manager
- Make use of MFA when protecting your accounts
- Utilize cloud-hosted servers for resiliency
Cover all bases by investing in employee cybersecurity training and employing outside help to secure your organization. Outline any changes made to cyber security practices. And remember to keep everything as simple as possible.
ThriveDX offers award-winning training solutions that train your employees on the most current cybersecurity threats and help reduce the amount of obsolete cyber security practices. Learn more today.
Protect Your Organization from Phishing
Explore More Resources
- Article, News
- Article, News
- Article, Blog
- Article, Blog
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.
