Six bad security habits and how to break them
A useful reminder from Shrav Mehta, CEO, Secureframe, about six bad habits we all need to break to keep our organizations safe and secure. So much in security is about simply getting the basics right.
1. Poor Password Hygiene
We all know the problem and we’re all guilty to some extent of reusing passwords, or versions of them, or of not changing them often enough.
Break it: If you’re not already – use a password manager and watch the problem go away. Create a company-wide password policy but make sure it is useable and realistic.
2. Convoluted Processes and Policies
The trouble with documents like onboarding checklists and privacy policies is that they grow over time. No-one ever edits them down or checks how much is still relevant and necessary. Make security a pain to use and people will simply find ways around it.
Break it: Set a calendar reminder to review and edit. Get feedback from users and act on it.
3. Outdated Software and Non-secure Devices
The pandemic has accelerated the shift to home working and with it an extension of the network and a plethora of potentially unsecure devices attaching to it. Home networks do not have to be less secure – but they tend to be by default.
Break it: Set rules for staff that are workable but safe. Remind them that software updates remain important and make sure they using a secure VPN to access sensitive data.
4. Lack of an Internal Audit Program
Policies and rules are one thing but actually knowing what’s on your network is another. You need as much visibility as possible into what is really going on.
Break it: Stay up to date with evolving threats but at least once a year take a deeper look at your organization and its security posture.
5. Untrained Staff
Phishing remains the key way in for most attackers. And the bad guys are getting better and better at creating very convincing fake emails. Staff need training the minute they join and start using company systems, not three weeks later.
Break it: Staff need effective, not ‘box ticking’, training. But they also need an atmosphere where they’re not afraid to put their hand up if they see something suspicious or think they may have made a mistake.
Despite the headlines, too many organizations still believe that a breach or security incident won’t happen to them. You need everyone, from the board downwards, to understand that the threat is real.
Break it: You need to build a culture that prioritizes security and understands its importance. Ensure all employees understand their roles and responsibilities regarding keeping customer and business information safe, and clearly communicate the benefits of following established policies and procedures.