The Most Common Mistakes These 27 Cyber Security Experts Wish You’d Stop Doing
See how your online habits are exposing your to cyber threats and act on these expert tips
In spite of all the media attention that cyber attacks have been getting lately, cyber security is still not as important of an issue for Internet users as it should be.
This is reflected by the fact that, by preserving old habits (like not updating their software, reusing passwords, etc.), users are maintaining security holes that cyber criminals constantly exploit and fueling the malware economy.
But what exactly are the most common mistakes that users make which expose them to cyber threats?
To find out, we asked 27 cyber security experts to share what errors they have seen come up most often in their many years of experience. You’ll be able to see for yourself that some of them come up again and again. What’s more, we’ve all done (some of/all of) those mistakes, but it’s important to acknowledge them and, most importantly, stop repeating them.
You don’t even have to take our word for it. But you can trust the experts from Symantec, AVG, Bitdefender, ESET, Malwarebytes, Sucuri, Rackspace, Trusteer (IBM Security) and many more security organizations or publications that have generously shared their personal opinions.
You’re in for a useful read, not at all technical, and packed with practical tips that can significantly increase your protection online. So let’s find out:
What is the biggest mistake that users make when it comes to protecting their online assets?
1. Adam Shostack, Veteran startup leader focused on improving security & privacy for customers and author of “Threat Modeling: Designing for Security” & “The New School of Information Security“
Frankly, I hate these sorts of things, because we ought to design systems that don’t make it so easy for people to make mistakes in weird technical ways that are hard to comprehend. But we do – we make it hard to be secure, then we rant about how people don’t jump through the hoops we somehow imagine they want to jump through.
People should use a password management program that makes it easy to create a unique password per site they register with. I prefer one that syncs locally, such as 1Password. That way, when one site gets hacked, you don’t have to change your password everywhere else. I’m a fan of local sync options over the cloud for syncing.
2. Brad Duncan, Security Researcher @ Rackspace
1) Use strong passwords and enable 2 factor authentication for your webmail, if possible.
Have you ever received spam from a friend or acquaintance’s Gmail, Yahoo, or other webmail account? If so, that user’s account was likely compromised. An immediate solution is to have the user change his or her password for that compromised webmail account. However, that overlooks a more serious issue. Many people use their webmail accounts to receive notifications for online accounts like your bank, electric bill, and other services. A person’s webmail account usually has some sort of private or sensitive information that an attacker could use to find out about that person’s other online accounts. Which leads to my second point…
2) Don’t use the same passwords for different online accounts.
If an attacker compromises your webmail account, hopefully you don’t use the same password for other accounts. If so, that attacker could use your stolen password to access other accounts and possibly gain more information. Some online bill paying services have the option to store your bank account information, so you don’t have to type it in every time you make a payment. An attacker might be able to gain access to your finances that way, and this would’ve happened because you used the same password for your different online accounts.
These tips are things we’ve all heard about before. However, many home users try to balance security and convenience, which is often a mistake. If your house is in a neighborhood known for break-ins and property theft, you would take strong measures to protect your physical property, despite the occasional inconvenience. Like a bad neighborhood, the Internet is well-known for incidents of cyber break-ins and data theft. Technology has brought this environment into our every day lives, and we need to have a more combative mindset concerning our online data.
3. Brian Donohue, Technology Journalist Covering Network Security @ Cyber4Sight (Booz Allen Hamilton)
It’s really two related mistakes that users make that commonly expose online accounts to compromise and hijacking: the deployment of machine predictable passwords and the reuse of passwords across multiple accounts.
4. Brooke Paul, Founder & CEO @ Taivara
At this point in time, the biggest problem is users take the path of least resistance toward securing their online assets. Such as:
- Not opting into extra security offered – such as the two-factor authentication offered by Dropbox, Facebook, Google and more.
- Not taking the extra step of using a password manager to create random and more secure passwords that are securely encrypted and stored.
- Not creating timeouts and login screens for personal devices like laptops and phones.
These are steps users can take today, but they create a more difficult experience. The industry also has a role to deliver better security that works seamlessly within the user experience best suited to our customers and products.
5. Candid Wuest, Threat Analyst @ Symantec
Two of the most common and basic mistakes consumers make when it comes to protecting their online assets is not to use strong passwords on all their devices and not applying patches or software updates, leaving people exposed to exploits cybercriminals actively leverage.
The most common password of all is simply the word ‘password’. People think they are being clever – but it is one of the first words cyber-thieves try. Other passwords to avoid include children and pet names as well as favourite football teams and dates of birth – all commonly used. A hacker can find such details easily on social media such as Facebook and Twitter.
A better idea to create strong passwords is to remember a phrase – for example, “An Apple a Day Keeps the Doctor Away!”. The whole sentence as a whole, including spaces, would be the best password to use. If the system is older and only allows for short passwords, then use the first letters and you have a password “AAaDKtDA!”. If you also want numbers in it, then change a letter to a number that reminds you of the letter or replace words. For example, 1AaDKtDA!.
Use a password manager, such as Norton Identity Safe, to help remember multiple strong passwords across all your online accounts. Where possible, enable additional security features such as two factor strong authentication.
6. Daniel Cid, Founder & CTO @ Sucuri
It is never just one single mistake, but a combination of multiple mistakes that lead to the most serious issues. Finding the biggest mistake was not an easy task, when there are so many to choose from. 🙂
However, the most critical mistake I see is regarding password (access control) management. A lot of people still re-use passwords and still rely on simple, easy-to-guess, passwords for their critical accounts. Users should never, never (never!), re-use passwords across different accounts. If we could solve one security problem for end users, that would be the one.
7. Dave Piscitello, Vice President, Security and ICT Coordination @ ICANN
Users by and large neglect to read social media, merchant, email or web site terms of service or use. Users live with a terrible misconception that they have some “inalienable” right of ownership to information they submit online, or information that they consent to have collected as a term of use for an account or mobile app. While certain jurisdictions may have privacy laws to protect personal data, there is no _universal_ right to ownership of data. Users shouldn’t rely on privacy laws to protect their personal data. While such laws are important safeguards against serious misuse, they aren’t intended to serve as a ‘net Nanny.
Terms of service or use are contracts: the user gets to participate in a community or use an app for free and in return, the social media operator may claim rights to information you submit (for example, images), or the third party data collectors who fund apps get to track your behavior.
Hopefully, you wouldn’t enter into a rental agreement or vehicle loan without understanding the terms of the contract. Similarly, you shouldn’t accept terms of service or use at sites where you’ll be submitting or posting personal, intimate, or business sensitive data. If privacy and other policies of a social media or we site don’t explain what rights you retain over data you submit or post, ask or do some investigating online. If you don’t feel comfortable with the terms, don’t sign up and warn your friends, colleagues or families.
8. Dave Waterson, Founder and CEO @ SentryBay
Many users assume that because they have anti-virus software installed, then they are fully protected from everything. This is not the case. The average user would be horrified to learn the actual effectiveness of AV in terms of identifying new malware. Users need to augment their AV with other more specific solutions, and be constantly on guard against social engineering attacks.
9. David Harley, Senior Research Fellow at ESET North America
I’m reluctant to talk about ‘mistakes’ – it’s too easy to blame end users if they make decisions affecting their own security that we in the security industry don’t consider to be well-founded. The unfortunate fact is that the media – online and otherwise – and the Internet at large are sources of immense volumes of advice of very variable quality. (Just check out practically any online forum!) So you could argue that the ‘biggest mistake’ is not reading ‘stuff’ on the internet with a suitably critical eye. (But if the population at large is insufficiently sceptical and versed in critical thinking, isn’t that an educational failure rather than user error?)
Even when we come to address the specific issue of online assets, there are far too many issues for me to venture an opinion as to which is the most vital or damaging.
However, there are certainly many in connection with authentication. Research by Mark Burnett suggests that:
…Approximately 1 out of every 9 people uses at least one password on the list shown in Table 9.1! And one out of every 50 people uses one of the top 20 worst passwords.
(Table 9.1 represents the ‘Top 500 Worst Passwords of All Time, from Burnett’s book Perfect Password: Selection, Protection, Authentication. The same table is reproduced here, however.)
Research on PINs is less copious, but it’s suggested that the 10 most-used passcodes accounted for 15% of a set of passcode samples acquired by Daniel Amitay. As you might expect, some of the problems are slightly different with 4-digit PINs, where memorization is more often tied to keyboard layout. However, because of the restricted nature of the character set, there is an issue that is less pressing with mixed-character passphrases. A randomized string like pC9>#05hkhJ*£V may be unpleasant to read and impossible to remember (but that’s the advantage of password management software). However, it’s random enough to reduce significantly its vulnerability to several kinds of attack. Nevertheless, as I’ve observed elsewhere:
Randomization is no guarantee of security. Indeed, randomization will sometimes give a bad PIN like 0000. You can use algorithms that are essentially pseudo-random but which are weighted to exclude the top n PINs, of course, but I don’t know if any service does that.
When I was actively researching password- and PIN-related issues (using, in part, Amitay’s dataset), I became increasingly frustrated to keep coming across journalists publishing lists of the 10 worst passwords (or at best the 25 worst passwords). You might think that a little odd, after quoting lists like Burnett’s of stereotyped passwords, but actually prefer to focus on how people can improve their password/passcode creation strategies, rather than on a handful of the very worst passcodes.
- Avoiding the most popular (i.e. overused) passwords is safer than using one that happens to be in the top 10, or indeed in the top 100, or even 10,000.
- Passphrases and PINs consisting of a single character repeated are all but useless.
- A numeric or digital series ascending (or descending) incrementally can be at risk from a guessing attack, a dictionary attack, or an algorithmic attack.
- Any password consisting of a word found in a dictionary is easily and quickly cracked. Passphrases may take more time, but cracking software is increasingly likely to take English sentences used as password phrases, especially material such as well-known quotations. Remember also that dictionary lists used in such attacks will include known over-used words that aren’t real words.
- Passwords with a sexual connotation or using swearwords are very widely used, and therefore highly vulnerable to a guessing or dictionary attack.
But avoiding stereotyped passwords is only adequate protection if the authentication mechanism is well-implemented and if the provider is doing a good job of protecting authentication data on its own systems.
10. Graham Cluley, Independent Computer Security Analyst @ GrahamCluley.com
If information is important to you, and you are planning to store it online, the biggest mistake you can make is not encrypting it *before* you store it in the cloud.
Trusting an online service to do a decent job of securing your information and keeping it private can be a costly mistake. Ultimately the only person you can trust to do a decent job is yourself, so encrypt before you store your data online.
11. Ilya Kolmanovich, Security Threat Engineer @ Trusteer (IBM Security)
The single, biggest mistake users at large make when it comes to protecting their online assets is not stop to think about the worst case scenario of what could happen to their data once it is out of their control.
Nowadays, people reveal way too much personal information online without so much as a second thought about it, or the possible implications of this simple act. Many think that their data has no value, or simply don’t understand what anyone could do with it.
Beyond personal information, as employees in a highly digital world, many take for granted the hyper-connected environments we work in. So much so, that they fail to realize that data is as protected as it will ever be before it is Internet-borne.
Once it is out there, posted online in one way or another, whether they think it is protected in an online drive or a password-protected resource, there is no telling whose hands it will end up in. And since there is often no way back after information has been posted online, it is all that much more crucial to stop and think through whether it should go online at all and have a procedure in place to protect it, as well as one for when it is somehow leaked. This day and age, information is a highly valued asset.
As a practical measure, I would suggest raising awareness among users, making sure they understand that once it is out of their hands, information can remain on the Internet forever, it can be stolen, or abused, and they will not be able to do much about that after the fact.
Whether a teenager posting an angry paragraph online, or an employee uploading an important, confidential document to a supposedly protected resource – have a mental, and actual procedure in place to help you vet whether this content should go online at all, and what consequences will be faced in a worst case scenario.
12. Joe Shenouda, Founder at Cyber Consult
Privacy exposure is the biggest mistake every user makes. People often say “I have nothing to hide” and as a consequence they expose all their information, sometimes without knowing.
The consequence of this that their online assets are scattered around beyond recovery.
Users should always take their own privacy very serious, even if they have nothing to hide. An attitude like that will make them take measures to protect their online assets better.
13. John E. Dunn, Editor & co-founder @ Techworld
The biggest mistake? People have no plan B.
After years or over-priced products, users have become wary of paying for security – any security.
Consequently, they fail to invest in a backup service, disaster recovery for their PC, security systems such as multi-factor authentication and password managers. Because they find it hard to understand security, they end up doing nothing at all and become dangerously blasé about it all.
14. Joshua Corman, CTO (Chief Technology Officer) at Sonatype & Co-Founder of “I am the Cavalry” (iamthecavalry.org)
The biggest mistake that users make is assuming that we can secure anything. I think we blindly adopt technologies, social media, and other innovations for their immediate benefits, but we forget that everything is a “cost” and a “benefit”, a “risk” and a “reward”, and we blindly assume that these things are secure without any proof of them being secure or securable.
If anyone’s paying attention lately, breaches are on the news every single day, and it’s not only credit cards anymore. There are failures where the consequences of failure are much more severe. These are government agencies with billion dollar budgets that can’t necessarily protect themselves. So our assumption that IT is “secure enough” or defensible is a faulty one.
If we’re failing nearly all the time, on things that are highly replaceable, like credit cards, we’re in really bad shape for things that are less replaceable, like public safety and human life.
We [I am The Cavalry] take this very seriously and I think the role of the consumer is to start asking questions and start paying more attention. A recent example, although it’s highly controversial, was a few weeks ago, when two hackers demonstrated that they could take control over a Jeep Grand Cherokee which was going 70 mph on a highway, with the journalist driving.
If that doesn’t terrify people as to how over-dependent we are on indefensible connected technology, this is where the media and the readers come in, because, if they don’t start asking, public policy makers won’t take action soon enough. Moreover, it’s not a matter of whether we’re going to be insecure later – we’re already vulnerable, in very dangerous places, and a lot of them.
One piece of guidance I give is: the less dependent we are on connected technology, the less exposed we are. So we should look at every choice when giving someone our information or entrusting them to store something important to us in some cloud service. Worse, adding a new Wi-Fi hotspot to our vehicle is an opportunity for accidents and adversaries to harm us. It’s less of a matter of finding an option that is secure and more a matter of making really smart choices of what type of connected technologies we depend upon.
The job that we have at hand now is to start asking questions, begin spending differently and start depending less, until they will have proven to be trustworthy.
15. Kevin Townsend, Freelance journalist & writer at ITSecurity.co.uk, with more than 10 years’ experience in writing about security issues
The biggest mistake that people make in protecting their online assets is believing that you can protect your online assets. You cannot.
You can deter the casual hacker – just like iron bars on the windows and a visible burglar alarm deters the casual burglar – but you will not stop the determined professional hacker.
Choose the location of your online assets with care. Check the reputation of the provider, and the security he promises. But, most importantly, never put anything online that you wouldn’t want your mother to see or read, nor anything that you cannot afford to lose.
16. Lee Munson, Contributing writer @ Sophos Naked Security
I believe the biggest mistake people make when it comes to protecting their online assets is that they do not value them highly enough.
Online bank accounts, email and social media accounts can be protected via strong passwords and, often, the adoption of two factor authentication as well.
Digital photos, music and home movies uploaded to cloud storage can be secured behind strong login credentials and a simple backup plan.
Yet, all too often, we hear how accounts have been hacked, or sole copies of sentimental media have been lost for all time.
Because people do not value that which they think they cannot lose.
Thus the challenge for us in the information security industry is to educate people to not only value their online property as if it were a physical asset, but also how to secure it too.
17. Liviu Arsene, Senior E-threat Analyst @ Bitdefender
One of the biggest mistakes that companies make when it comes to securing sensitive data is not understanding where their data resides and how to categorize it.
Companies that identify what their sensitive data is, will set in place various security mechanisms, such as encryption and access policies, both for encrypting data in transit and at the rest, while also restricting access to it. Having a strategy for protecting each level of data appropriately is not only recommended, but mandatory. Data classification is critical and access to it needs to be regulated.
18. Marcin Kleczynski, CEO @ Malwarebytes
I think that the biggest mistake that users make when it comes to their online assets is that they reuse passwords. They use the same password for their baking website as they do for their social profile, for example, and that creates the weakest link effect.
We’re all guilty of putting out information on a site that isn’t necessarily secure or it belongs to a startup that hasn’t focused on security just yet. As soon as one of those websites is breached, the attackers will have the same email address and the same password that you use for all these websites.
If I were a cyber criminal, I would attack the lowest hanging fruit – a website such as a dating site or a social media site, where security is just not top of mind, like it is for a bank, as soon as I would have those credentials I could be rest assured that I can probably reuse those credentials in a lot of places, because people don’t change them from site to site.
19. Martijn Grooten, Editor @ Virus Bulletin
I’d say the biggest mistake is that people think there is a silver bullet that can solve all their problems. The idea that if only they use this tool, or always do that thing, they don’t have to worry about anything.
Mind you, I’m not suggesting people should worry too much – just that they should have realistic expectations of how much tools and practices can stop attacks.
20. Matthew Pascucci, Cyber Security Specialist & Privacy Advocate at Front Line Sentinel
1. Assume the site that’s hosting you data isn’t performing proper security. Always be under the assumption that if the online site that’s hosting your data was compromised, you could live with the data being public.
2. Stop using the same password for every account and use two-factor authentication whenever possible. This is done easily now with SMS text messaging and Google authenticator.
3. When storing sensitive data in the cloud, make sure its encrypted first before uploading it. Without encrypting it first you run the risk of it potentially being viewed without your knowledge.
21. Morten Kjaersgaard, CEO @ Heimdal Security
In my opinion, the biggest mistake a user makes is underestimating their opponent. Users fail to recognize the fact that cyber criminals today are exceptionally quick, very skilled and that they are very focused on the task at hand, which is business.
Users’ computers are, by default, quite safe, but the risk arises when computers are used. Hackers rely on the interaction with the users to penetrate their system and, therefore, users need to recognize their adversaries’ abilities and build their own skills and defenses to match them.
22. Pierluigi Paganini, Founder of Security Affairs
It is my opinion that the biggest mistake the users and companies make when it comes to protecting online assets is the lack of a correct evaluation of the surface of attack. In the majority of cases, users totally ignore cyber threats, threat actors and their tactics, techniques, and procedures (TTPs). This error is transversal across many sectors and technology, the systems and services exposed on the internet often lack security by design opening user’s asset to cyber attacks.
The wrong approach to cyber security has to be analyzed in various contexts, if we consider, for example, the Internet of Things: the lack of a proper security posture could have serious repercussions on the users and their data. It is quite easy do discover online IoT devices having factory settings easy to hack. If we consider APT groups and their hacking campaigns, the lack of knowledge about the spear phishing attacks is the principal reason of their successfully attacks.
We are all nodes in an interconnected network, humans and machines, we must know the threats and the way they operate if we are to stay secure online.
23. Simon Edwards, Technical Director @ Dennis Technology Labs
The biggest mistake is to choose the cheapest option without considering the supplier’s reputation. Take VPNs as an example. If you pay a respectable company to provide you with VPN services, then you stand a greater chance of being secure than if you trust in a provider that you know little about and somehow has the ability to provide free, reliable and secure services.
There has been a case of a VPN provider renting out customers’ Internet connections to a third-party. And how many other free VPN services are secretly operated by governmental entities?
24. Tony Anscombe, Senior Security Evangelist @ AVG Technologies
When it comes to the mistakes we make when securing our online lives, above everything else, our mindset as consumers is our biggest downfall. Despite big business breaches and reports of compromised consumer data hitting the news on a regular basis – if we’re really honest – many of us simply think “it won’t happen to me.”
Take last year’s Heartbleed bug, as an example. Despite the breadth of the breach and many major tech firms urging people to change their passwords, according to password management company Dashlane, more than half (52%) of UK users still have not changed any of their passwords at all.
Many of us still use the same passwords across different services, even cycling through the same passwords over time. Recent hacks (like Heartbleed) have proved this, revealing that vast numbers of people still use very simple passwords – common words or socially guessable phrases – to protect their personal data. In fact, the top password is still ‘123456’, seconded by ‘123456789’ with ‘password’ ranking in third place.
In future, users should look to move away from the ‘traditional’ password and start to look at more sophisticated groups of characters. If you’re worried about forgetting longer passwords, using something personal to you as the basis for your passphrase can still create enough complexity to make it a lot harder to crack – for example, Neil!luvs2jog, a mix of characters, symbols and numbers in upper and lower case, yet still a memorable message.
25. Troy Hunt, Microsoft MVP for Developer Security & blogger at TroyHunt.com
The biggest mistake users make is the assumption of privacy.
Now is a timely reminder in the wake of the Adult Friend Finder and Ashley Madison breaches that all your online things need to be created with the assumption of them being public one day. It’s an unfortunate reality that this increasingly seems to be the case, whether it’s due to data breaches or government oversight.
The best piece of advice I can give everyday people on the web is to avoid digitising things that would irreparably damage them whether that be photos or emails or other online conversations – it’s just not worth the risk.
26. Wendy Nather, Research Director at Retail Cyber Intelligence Sharing Center (R-CISC)
I think the biggest mistake that users make when it comes to protecting their online assets is failing to take into account that a trusted person might need to access them in the future. Most online sites don’t have good provisions for allowing someone else — say, a spouse or family member — quick access to a user’s account when that user is incapacitated or has died.
If you think about what might happen if you were extremely ill for a month, you may realize that you’ll need someone to pay your bills from your account, answer urgent email, pick up pharmacy prescriptions, and so on.
As we keep more of our assets online, we need proxy and delegation arrangements to be in place; this problem only grows as the online population ages.
27. Xavier Mertens, Freelance Security Consultant, Owner @ TrueSec
Firewalls became common security protections for our perimeters. Today, even our home networks are protected with filtering systems. Implemented in broadband routers, such filters remain basic but… at least they exist! Our assets are protected from the ‘wild’ Internet by blocking all incoming (unwanted) connections. This kind of traffic is called ‘ingress traffic’. It categorizes all the traffic coming from outside the network. At the opposite, we have the ‘egress’ traffic which refers to the traffic that is going from the network to a destination somewhere outside of the network (read: the Internet).
Controlling this egress traffic is also very important. When an asset has a full (unrestricted) access to the Internet, the following issues may occur:
- In case of malware infection, the asset will communicate with the C&C (Command & Control) server
- The asset can be used as a botnet member to attack other hosts
- Non-corporate services can be used like rogue DNS resolvers
- Applications can try to connect to remote servers (“phone home”) to exfiltrate data.
My recommendation is to allow only the required traffic to go out of your assets/networks. Do not permit assets to communicate directly with external network services (DNS, SMTP, HTTP). Use internal resources and proxies to inspect the traffic. On computers, host based firewalls can be installed to control all the traffic based on application (ex: LittleSnitch on OS X).
We really hope that these answers can help you take the right steps to better protecting your online assets, whether they’re family pictures, work documents or your online banking details.
It’s challenging to fit cyber security in your personal agenda – we know, we’ve struggled with it as well, before becoming slightly paranoid – but it’s also extremely important, especially as the years go by.
We hope you can find the motivation to protect yourself and your loved ones by choosing the right solutions for you, because you can only rely on your ability to learn and adapt in a fast-paced world as the one we live in.
And if you ever need help, don’t hesitate to reach out to us. There’s always a way to get better at cyber security, and it’s wise to do it before trouble comes your way.