The fix: Among other things, organizations should forbid web surfing from administrative accounts. If an employee does fall victim to malware, it will be much less likely to get the level of permission it needs to install or at least persist.
Frymier said these days this is a problem any IT department should be able to prevent. "Most things in the anti-virus/malware and authentication world can be locked down so they can't be disabled," he said.
6. Clueless social networking: The advantage of social networking is that it allows the modern workforce to be much more collaborative and productive. But, among obvious risks is that confidential corporate information gets posted on networking sites or in the cloud, where it is beyond the control, or the protection, of the organization. Another is that employees fall for increasingly sophisticated social engineering attacks.
The fix: Regular training, which needs to go beyond lectures. As CSO has reported in the past, good training is not an event; it is a process that uses real-world examples.
7. Poor mobile security: Given the existing BYOD world, it is almost impossible to eliminate spillover between the personal and corporate. But there are millions of devices in the mobile workplace, being used in coffee shops, on mass transportation and other places with public Wi-Fi. Far too many of them are not even protected by rigorous encryption or good mobile device management (MDM). Even more are not even protected by a PIN.
The fix: Insist that employees have a PIN for their device. Teach them to be aware of their surroundings in public places — coffee shops, airports, train stations, shopping malls and other areas where criminals can get personal or corporate information from something as low-tech as shoulder surfing. Make sure that corporate data is encrypted, end-to-end.
8. Too many privileges: "We see a lot of networks where some IT team have set up a shared account with high privileges," said Eye Firstenberg, vice president of research at LightCyber.
"This makes IT's job easier, but it's also makes monitoring misuse of those high-privileges credentials impossible," he said, adding that a similar problem is giving too many privileges to application accounts that are only supposed to be used by specialized software. "These accounts are especially susceptible because they have privileges, and are hard to monitor," he said."
The fix: "Accounts, especially privileged ones, should be assigned to individuals, not departments," said Firstenberg.
9. Failure to update or patch software: One of the most common security mistakes, mostly the result of the "can't be bothered" syndrome. The risk is obvious — it leaves devices exposed to new threats, whose creators are actively seeking targets before their window of opportunity closes.
Sign up for CIO Asia eNewsletters.