<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1703665079923990&amp;ev=PageView&amp;noscript=1">

How to Reduce Security Risks Created by Your Employees

How to Reduce Security Risks Created by Your Employees

Posted by TEAM ASCEND on 2/21/18 12:00 AM

<< Back to Blog

How often does the average person think about cybersecurity?

For most people who don’t work in the technology industry or have never experienced a data breach, probably not very often.

This lack of cybersecurity awareness is having a major impact: 90% of cyberattacks are caused by human error. Although this statistic highlights how unprepared most of us are for the online threats we face daily, there’s another way to look at it. Most businesses are still in the early stages of prioritizing  and putting resources toward cybersecurity. If 90% of data breaches are due to human errors, then that means 90% of these breaches can be prevented. When everyone — not just IT professionals — learns to take cybersecurity seriously, we can collectively work toward reducing the number of preventable incidents.

If you want to begin improving cybersecurity awareness at your office, start by learning about the following ways you or your employees might be putting your company’s security at risk.

Connecting to Public Wi-Fi Networks

According to CompTIA, 94% of employees connect their laptop or mobile device to public Wi-Fi networks. This is a dangerous tradition that opens your organization to a host of potential threats. Public Wi-Fi is designed to let anyone connect to the internet. Unfortunately, this unsecured network gives criminals an easy way to find new victims.  

Norton provides examples of the types of attacks that can happen from using public Wi-Fi:

  • Man-in-the-Middle attacks: Essentially, a MitM attack is a form of eavesdropping. When a computer makes a connection to the Internet, data is sent from point A (computer) to point B (service/website), and vulnerabilities can allow an attacker to get in between these transmissions and “read” them.
  • Unencrypted networks: Most routers are shipped from the factory with encryption turned off by default, and it must be turned on when the network is set up. If an IT professional sets up the network, then chances are good that encryption has been enabled. However, there is no surefire way to tell if this has happened.
  • Snooping and sniffing: Cybercriminals can buy special software kits and even devices to help assist them with eavesdropping on Wi-Fi signals. This technique can allow the attackers to access everything that you are doing online — from viewing whole webpages you have visited (including any information you may have filled out while visiting that webpage) to being able to capture your login credentials, and even hijack your accounts.
  • Malicious hotspots: These “rogue access points” trick victims into connecting to what they think is a legitimate network because the name sounds reputable. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now view your sensitive information.

Many employees head to coffee shops after work or on the weekends to get work done, providing a gold mine for cybercriminals. What should your employees do?

Norton recommends the following: 


  • Disable file sharing on your device
  • Only visit websites that have HTTPS encryption
  • Log out of accounts when you’re done
  • Use a VPN to make sure your public Wi-Fi connections are made private


  • Allow your Wi-Fi to auto-connect to networks
  • Log into any account via an app that contains sensitive information (instead, go to the website and verify it uses HTTPS before logging in)
  • Leave your Wi-Fi or Bluetooth on if you are not using them
  • Access websites that hold your sensitive information, such as such as financial or healthcare accounts
  • Log onto a network that isn’t password protected 

Not Using Unique Logins

Remembering a few passwords is tough enough; memorizing a unique login for each online account you have is nearly impossible. According to Dashlane’s password overload study, the average number of accounts registered to one email address in the United States is 130. That’s why only 34% of employees have at least 10 unique logins to remember. If an employee uses the same email and password combination across accounts and one account is hacked, all the accounts that an employee has are open to being compromised, too.

According to Emmanuel Schalit of VentureBeat.com, this is what you can do to help your employees have better login security: 

  • Educate employees: Educate employees on how to identify a potential security breach, how to generate strong passwords they can use and remember, and how to manage them safely.
  • Be transparent about security: Be proactive and transparent about your company’s security policies and infrastructure. Consider sending a company-wide incident report to raise employee awareness, and/or having regular training sessions or town hall meetings where you educate employees about your current security policies.
  • Provide a password manager: To help your employees store, manage, and secure the password to their accounts, provide them with a password manager. Password managers help combat insecure password sharing, password overload, and manually generating weak passwords. Make it clear to your employees that this is also a benefit for them as they can use it to manage their personal credentials. 

While these steps may sometimes feel inconvenient, it will be worth the effort down the road, when your firm doesn’t have to deal with the fallout of a cybersecurity breach. 

Lacking Cybersecurity Training

Most people have never completed any type of cybersecurity training. It’s crucial to provide this type of education to your employees if you’re serious about reducing the risk of incidents at your organization. Yes, you may hear a few groans from your employees when you tell they need to complete the training and yes, the information presented can feel like common sense, but if it can help prevent a data breach at your company, why not do it?

CompTIA’s Trends in Information Security Study reveals that 45% of employees receive no cybersecurity training from their employers. While you may think your employees are getting by just fine without training, Dell’s End-User Security Survey should make you think twice. According to the survey, 72% of workers are willing to share confidential company information without regard for proper data security protocols.

Even more concerning, the survey revealed unsafe data practices: 

“Forty-six percent of employees admitted to connecting to public Wi-Fi to access confidential information, while 49% admitted to using a personal email account for work tasks. The survey found 35% said it was common to take corporate information with them when leaving a company.”

To employees, these actions feel harmless. What they don’t realize is that these simple tasks could potentially take down an entire business. Matt Hamblen, Senior Editor of Computer World, spoke with Avivah Litan, a security analyst at Gartner who shared how cybersecurity training is helping companies:

“When it is instituted, it really makes a huge difference,” Litan said in an email. She said she used to be cynical about the impact of these training programs, but has become convinced recently about how effective they can be. She wrote a blog in December describing how one Midwest energy firm had seen an almost 80% reduction in security incidents after training.” 

How do you get started implementing cybersecurity training into your business? The National Cybersecurity Alliance recommends talking frequently with your employees about:

  • Rules for keeping a clean machine, including what programs, apps and data that workers can install and keep on their work computers;
  • Best practices for passwords, including making them long and strong, with uppercase and lowercase letters, numbers and symbols, and changing them routinely;
  • Not clicking on suspicious links in email, tweets, posts, online ads, messages or attachments—even if they know the source;
  • Remembering to back up work, based on the policies of each company;
  • Speaking up if they notice strange happenings on their computer. 

If you want to take it a step further, there are more organized ways to approach employee cybersecurity training, like the Personally Identifiable Information (PII) Training available through Ascend.

Your employees are the biggest cybersecurity risk factor for your business. If businesses can start putting time aside to encourage better cybersecurity practices, we can start to put this era of constant data breaches behind us.

Written by Nik Vargas

<< Back to Blog

Posted in Phishing and Security Awareness, Cybersecurity