Every recent study of security vulnerabilities has come to the same conclusion: The human factor is a greater risk to organizations than flaws in technology.
And that, most experts agree, is in large measure due to a lack of security — people are either unaware of increasingly sophisticated threats, or they get careless.
There is, of course, no such thing as 100% security. But it could be a lot better if workers at every level, in every organization, avoided the common security awareness mistakes listed below.
The list was generated with the help of several security experts, who also offered advice on how organizations can minimize or even eliminate them:
1. Falling for phishing: One of the most common mistakes. It can include clicking on malicious links or attachments in phishing emails, on social media sites like Facebook and Twitter or even "ads" on websites that look legitimate. Criminals have gotten much better at making them look authentic, as if they come from a friend, family member or major, established companies like those that ship products to your home.
The fix: Train employees — regularly — to be skeptical of everything, and to click only on links that they are certain have come from a trusted sender. Organizations should run their own "sting" operation, to see how many employees are fooled by an in-house phishing attack. It will raise the awareness of workers who fall for it.
David Monahan, research director, Security and Risk Management at Enterprise Management Associates, warns that even emails from what appear to be trusted friends or family members can be fake.
"Does it seem out of character for them? If so, don't click it," he said.
Also, any email that asks you to "verify" your credentials is likely malicious. If you think it is worth checking, call the company or go to its website.
Dave Frymier, CISO at Unisys, added that there are plenty of security awareness products on the market to help with training.
2. Unauthorized application or cloud use, known as shadow IT: Dan Lohrmann, chief strategist and CSO at Security Mentor, said this includes posting private, or uncontrolled, data to the cloud.
Frymier agrees. "This comes in a lot of forms," he said. "Anything from installing 'gotomypc' to buying cloud virtual machines and using them for corporate purposes. It amazes me how people can do these things without realizing the dangers."
The fix: "This For example, offer a reasonable cloud storage solution that is approved, rather than just saying no."
3. Weak or misused passwords: It doesn't take an expert to know that using a default or simple password is like leaving the company door unlocked. But misuse also includes using the same password for multiple sites and sharing them with coworkers.
Sign up for CIO Asia eNewsletters.