Most of us are aware that we need to keep security risks front-of-mind when we’re doing things online. We don’t open any email attachments or links that look even vaguely suspicious, we have a secure password vault so that we don’t use the same password over and over again, and we warn our friends and family if we think their WhatsApp has been hacked rather than clicking on the dodgy-looking link they’ve sent through.
But even if you’re doing all those things right, chances are you’re still engaging in seemingly innocuous behaviour that puts your own data at risk as well as that of your organisation. Whether it’s unwittingly participating in social engineering, trying to save a few quid on software, or even just staying up to date with the latest tech trends, there are any number of areas where we could stand to be a little more vigilant.
These behaviours don’t just affect your personal accounts, but can also be detrimental to the overall security of your organisation.
Fortunately, knowing is half the battle. So, once you’re aware of seemingly innocuous behaviours that are actually risky, you can begin to address them. With that in mind, here are a few risky forms of behaviour and some tips for addressing them.
Using (some) free online software
Let’s face it, we’ve all been in a situation where we’ve needed to do something, like merge a PDF, that we don’t have the software for. If it’s something we don’t do all that frequently, we can also convince ourselves that it’s not worth shelling out for dedicated online tools. The natural response is to look for a free online tool.
The thing is, free’s never really free. When you upload a file to an online PDF editor or converter, you give the platform temporary access to it. Some will scrape the PDF for data, which it can then sell to advertisers and other third parties. That could be a major problem if you’re editing sensitive or confidential documents, or if the tool’s own security measures aren’t up to scratch. Although rarer, some online tools can also infect your machine with malware.
While it’s always best to use a paid-for desktop editor, you can be safer by checking how long the service stores your documents for, whether it’s GDPR-compliant, and whether it takes additional measures to protect your privacy.
It’s easy to understand why people use social logins. They can take the pain out of registering for a new site and leave you with one less password to remember. But they also come with inherent risk. For instance, if one of the parties gets hacked, login and personal data in all the websites (that had access) become vulnerable as well.
You can get most of the convenience of social logins without the inherent safety compromises by using a password manager.
Answering social media questions
If you spend any time on Facebook, you’ve probably seen someone you know answer a meme like “Find your rapper name!” which is made by combining the name of your first pet and your current street name, ” or “how far away do you live from the place you were born?” These questions might seem like a bit of innocent fun, the truth is far more insidious.
Those questions are designed to be as similar as possible to password prompts and security questions. Coupled with information gleaned from data breaches, these answers can be used by cybercriminals to access your bank account and withdraw money or even for more serious forms of identity theft.
In other words, don’t answer the questions. And if you have, get a password manager and update all your passwords.
Buying the latest tech
When it comes to smart household tech, consumers have never had more options available to them. Everything from lightbulbs and fridges to speakers and scales are connected to the internet. While the manufacturers of these devices may be good at making them, the same cannot be said for their approach to security, which is often an afterthought. In fact, several major cybersecurity incidents have occurred as a result of IoT devices.
If you’re using these devices in your organisation, it’s worth setting up a continuous assessment cycle and conducting periodic reviews of third-party tech vendor relationships to ensure that these companies are transparent about the data they collect and how securely they handle it. It’s also good practice to check whether the tech vendors that you work with hold certifications from renowned TIC (testing, inspection, and certification) companies for their confidentiality and data protection processes, not to mention verifying if the vendors comply with privacy regulations like the GDPR.
Most of us have, at some point, come across something that our organisation’s preferred software suite isn’t capable of doing. Alternatively, the software suite you use might not play nicely with a client or supplier’s software suite. As a result, you end up using the most convenient workaround. For example, people use services such Dropbox, Google Drive, and Box to send large files, even if those are technically unauthorised platforms. This practice is known as shadow IT and has grown exponentially in recent years. This creates data risk and compliance issues as you are sharing outside your network.
Organisations therefore need to ensure that their software provider either fulfils all their needs or that their security provider is capable of dealing with some of the most common shadow IT applications.
Little changes make big differences
While it’s almost impossible to be totally secure, the behaviours described above demonstrate how easy it is to fall into unsecure habits. They are, however, easily rectified. And if enough people make those little changes, the internet could be a much safer place.