In a perfect world, employees would have excellent cybersecurity habits and never put the company’s network or data at risk.
This isn’t a perfect world, however, and the reality is employees do a lot of things that mess with a CISO’s on-the-job sanity.
According to a survey commissioned by Sungard Availability Services, IT professionals see security as a serious threat to the organization, and this is largely due to employee behavior (or misbehavior).
The worst security offense, according to the 276 IT professionals who responded to the survey, is carelessness surrounding mobile devices, followed closely by poor password management. Both issues can easily lead to the type of data breach that could cost a CISO his or her job.
So, that being said, here are ten surefire ways to mess with your CISO and put your company’s important information at risk!
1. Leave your laptop in your car. Or forget your smartphone at the airport security line. Or run for a refill of coffee while your table sits unattended. Any time you put your device in a situation where it can be easily stolen, you are putting the corporate network and data at risk. Unfortunately, too many users don’t deploy the privacy settings on their devices, so when a device is lost or stolen, everything on it is readily available to the new “owner.”
2. Share passwords. More than fifty percent of the IT professionals surveyed for the Sungard Availability Services study said password sharing was one of their top security concern. There are two different, but very important, password sharing concerns. First is sharing a single password among multiple sites or access points. If someone guesses that password, he will gain access to a lot of bonus material because of employee laziness. Second is sharing a password with your co-workers. Edward Snowden was able to gain access to many unauthorized sites because fellow employees shared their passwords with him.
3. Use weak or lazy passwords. While passwords aren’t the most sophisticated security barrier, they are going to continue to be the first point of authentication for a long time. But too many employees continue to be lazy when they create passwords, coming up with codes that are easy to guess. IT professionals would be thrilled if employees would quit using passwords that rely on consecutive keyboard strokes (like qwerty or 12345) and would start developing strong passwords that get changed on a regular basis.
4. Forget to shut the door on the way out. Physical security doesn’t get enough attention, but IT professionals were very clear about how much of an issue inadequate building security can be. An unlocked outside door or not having a way to monitor visitors to the facility can leave computers, server rooms, networks, and even filing cabinets at risk of being exposed to the wrong person.
5. Ignore company security programs. This falls on the shoulders of IT staff and CISOs themselves, but by not enforcing strong security programs, employees aren’t going to take the steps necessary toward better security behaviors. So be sure to make it easy on employees: share quick links to security policies, send lots of reminders and “how to’s,” and make sure people understand the information you provide.
6. Take the bait. Phishing scams have been around from the time ordinary people began communicating on the Internet. Despite better awareness of how dangerous a phishing scam can be and repeated reminders of steps to take to make sure attachments and links are legitimate, employees continue to spread malware through the company network because they can’t resist the bait.
7. Engage in anti-social media. Who doesn’t love to waste some time during the day checking Facebook and Twitter and Pinterest? CISOs don’t love when employees do it because social media is a hot spot for embedded malware and click bait links that direct users to dangerous sites. Also, social media users have been known to put sensitive corporate information on their walls, creating a security problem.
8. Patch things “later.” Half of IT professionals believe that out-of-date security patches are a serious security problem, and it is no wonder why. Patches are issues to fix specific vulnerabilities and security issues in an operating system or software application, but too many employees will click the “remind me later” button when prompted to download the patch.
9. Expose sensitive data for all the world to see. How many of the most recent high-profile breaches involved the compromise of unencrypted data? The answer: too many. When employees aren’t utilizing encryption processes, it puts sensitive data at risk if the network is hacked. In turn, it causes panic among millions of consumers who find out that their Social Security numbers and birth dates are suddenly available for sale on black markets.
10. Exploit shadow IT. Unauthorized use of cloud applications, software, external hard drives, and mobile devices might make life easier for the employee, but it can be a nightmare for the CISO who has to provide security for a multitude of unknown end points.
There you have it: 10 ways to seriously mess with your CISO (and endanger your company as part of the bargain)!
This article was originally posted on Forbes.