With the rise of cyberattack methods such as zero-day attacks, phishing attempts, and ransomware threats, it can be a challenge to keep your digital assets secure. While there’s much you can do to implement cybersecurity solutions, businesses should also consider an element of security that’s harder to control: the human factor. Sometimes, hackers are unable to bypass robust security measures, so they try to “phish” their way into an organization’s infrastructure by taking advantage of employees’ trust or lack of knowledge.
If security isn’t part of their day-to-day role, it’s easy for people to get behind on best practices or rely on outdated training from their onboarding, which could be years ago. To help protect your business from the “people risk”, here’s a quick guide highlighting seven commonly believed but outdated practices—along with suggestions for what to do instead.
#1 You should change your passwords regularly
We’ve long been told to change our passwords regularly. However, in some cases, this advice may actually do more harm than good. If a user changes their passwords often, they may be more likely to write them down so they don’t forget them. This is especially true now that employees are working from home more and businesses have less oversight of how sensitive information is managed.
In addition, the requirement to change passwords every 90 days can be a waste of time. If hackers can figure out the old password, it’s likely they can figure out the new one. Moreover, AI now gives hackers even more advanced tools to crack passwords in a matter of hours, no matter whether the password was changed yesterday or last year.
Passwords are vulnerable to theft in a data leak, and since people might be using the same password in multiple places—both at work and at home—this creates security gaps that businesses have no control over.
What to do instead: Consider adopting passwordless authentication, which uses factors like biometrics or hardware tokens for authentication. If passwordless methods are not an option, combining passwords with multi-factor authentication (MFA) strengthens security by adding an extra layer of protection. Identity Threat Protection and Response (ITDR) solutions can detect anomalies in user behavior analytics and check that passwords are not part of known leaks or prohibited patterns, further strengthening protection.
#2 If an email attachment is encrypted, it’s automatically safe
Just because an email attachment is encrypted doesn’t automatically make it secure. Cybercriminals increasingly use sophisticated phishing techniques to distribute malware, even in encrypted attachments. Employees can be easily fooled into thinking something is legitimate when it isn’t.
Many organizations tag external emails with labels like [EXTERNAL] or “This email comes from outside the organization” to warn employees of potential risks. Over time, people tend to ignore the tag or overlook the fact that it is in a different place than usual (not in the subject but in the message body, for example). ATO (account takeover attacks)—in which cybercriminals gain unauthorized access to a legitimate user’s account, often through phishing or stolen credentials— are often designed to bypass such security measures.
What to do instead: Encourage employees to interrogate emails that they weren’t expecting or where they cannot confidently verify the authenticity of the sender’s email address.
While the vast majority of companies will have implemented email filtering software that flags suspicious attachments and links, there is always the risk that a sophisticated scammer will get through. This means that businesses need to guarantee that employees know that just because an attachment is encrypted, that doesn’t mean it’s safe.
#3 If a website starts with HTTPS, that means you can trust it
In the past, users trusted that HTTPS and a padlock in a browser meant a website was secure. However, advances in cyber criminality mean this assumption is no longer safe.
While HTTPS, which shows a website has an SSL certificate and uses TLS encryption, encrypts the data between your browser and the site, it doesn’t mean the website is secure. Cybercriminals can still create malicious sites with HTTPS encryption. While this may have been a sign of safety years ago, it can no longer be relied on.
What to do instead: Since a website cannot be verified solely based on its HTTPS status, companies can encourage employees to use dedicated tools to check URLs or contact their technical team for validation. In addition, employees should never input sensitive information unless they are sure the site is legitimate. Fake websites with a URL containing one or two letters different from the original are another tactic to watch out for.
#4 Clicking on a suspicious link will always trigger malware
While people are right to be suspicious about clicking on links they’re not sure about, if they do so, it doesn’t automatically mean that their computer has been hacked. However, that doesn’t mean it’s safe to click recklessly. Cybercriminals now use tactics like fake calendar invites, which can look very convincing.
What to do instead: Educate employees on how to spot suspicious links and phishing attempts. Encourage them to hover over links to check their legitimacy before clicking. Businesses can also implement web filtering tools to block known malicious sites.
#5 Never use public WiFi
Connecting to public WiFi should be done cautiously, but sometimes, there is no other option, particularly if an employee is traveling. The risk of someone intercepting your data over public WiFi is similar to the risk of interception on a GSM (mobile) network. Intercepting mobile or WiFi network traffic requires specialized, expensive tools, making it a complex and resource-intensive attack method. Using public WiFi is often necessary but should be used with caution. Businesses should also ensure that their guest WiFi is secure for visitors to their organization.
What to do instead: Encourage employees to use VPNs when accessing public WiFi. A commercial VPN might not always be the safest (see point below), but a corporate VPN with strong encryption and endpoint security is a much more secure option. In addition, businesses can implement zero trust network access, which enforces strict access controls based on the principle that no one, whether inside or outside the organization, can be trusted.
#6 It’s safe to use commercial VPNs
Using a commercial VPN (virtual private network) can seem like a great way to secure your internet connection, but it’s not always the best solution for businesses. Many commercial VPN services log your data and are less secure than they claim; they don’t always offer strong encryption or protection against modern threats. VPNs can store all your data, so don’t assume everything you do on a VPN is private. In some extreme cases, VPNs can also be used to install malware on a device.
What to do instead: Opt for a corporate VPN that offers stronger encryption and doesn’t log user activity. Ideally, choose a VPN that integrates seamlessly with your existing security protocols, offers split tunneling, and allows for zero-trust architecture—guaranteeing data stays secure, no matter where it’s accessed from.
#7 Be overly cautious and suspicious
While vigilance is key, an overabundance of caution can create a false sense of security and waste time. Employees should be encouraged to cultivate a healthy sense of vigilance to protect themselves and the business. Excessive fear can hinder productivity and lead to security fatigue, where employees become desensitized to warnings and ignore critical threats. For instance, the advice to log out of accounts after each use is more suited to an era of shared public computers in internet cafes than to today’s norms of personal laptop use and dedicated company devices. In fact, Microsoft recently announced it would keep users permanently logged in, along with switching to a passkey password system.
Similarly, advice such as turning off your laptop camera can be helpful, but employees should be aware that these types of hacks are usually highly targeted. They only need to take serious proactive measures if they’re handling high-security information.
What to do instead: Prioritize educating employees about actual risks like phishing, ransomware, and zero-day attacks, and new attack types like AI-enabled cyberattacks. By helping your team identify genuine threats, you can foster a more focused and effective security culture.
Employees should also be realistic about their own personal risk. For instance, it’s more likely they will be personally targeted if they work in a sensitive industry or have access to the upper levels of a business. For instance, sophisticated zero-click exploits—where merely opening a message can cause harm to a device—tend to target high-profile people or those with access to extremely sensitive information.
Protect your digital assets with Gcore
Cybersecurity threats evolve constantly, making it challenging to stay ahead—especially when human error is involved. That’s why having cutting-edge security technology in place is essential, making it more likely that human error won’t lead to damaging and expensive consequences. It’s also important that employees are trained to focus on real threats and understand the difference between actual risks and harmless events.
At Gcore, we offer a suite of AI-driven security solutions designed to protect your assets from advanced threats, including zero-day attacks, DDoS, and more. Contact our team of experts to learn more about our WAAP and DDoS protection solutions.
