18 Nov 2015

Cybersecurity: The top common mistakes we make

You’re not the only ones making them.

When it comes to advice on the most common cybersecurity mistakes people and businesses make, there’s no shortage on the Internet – about 488,000 results indexed by Google alone.

The sheer volume of advice makes it hard to know where to start. However, there are some common themes when it comes to common cybersecurity mistakes being made.

Some of the most common mistakes gleaned from a survey of articles include:

Not doing the simple things right

In April, the US Military reminded soldiers and other staff about some easy changes that could drastically improve the organisation’s security posture. Things like not walking away from a logged-in machine, not leaving security passes unattended and correctly labelling media such as CDs, could all help “change the IT or security culture”, without requiring much effort on the users’ part.

“The human factor is and remains, for both IT professionals and the end user, the weakest link in relation to security,” KPMG said recently.

Making cybersecurity one person’s responsibility

The US Military article briefly makes the point that cyber security isn’t just the responsibility of IT or the chief information security officer. “Everyone … is cyber security,” it said. “It’s part of your responsibility as well.”

KPMG agreed with that notion in recent research: “Cybersecurity is often seen as the responsibility of a department of specialist professionals. This mindset may result in a false sense of security and lead to the wider organisation not taking responsibility. The real challenge is to make cyber security a mainstream approach.”

However, there still needs to be a central person managing it to ensure “nothing ‘gets lost in the shuffle’ as can happen if a piecemeal, department-by-department approach is taken”, INC reports.


A more comprehensive list of common cybersecurity mistakes made by users is contained in Lenny Zeltser’s often-quoted 2009 post to the SANS Internet Storm Center Handler’s Diary, entitled ‘How to suck at information security’. (For those interested, a 2015 revision can be seen here).

Zeltser’s list struck a chord with many professionals having first-hand experience of users doing some of these things (and having to clean up afterwards).

Everyone makes mistakes

But it’s important to note that it’s not just businesses and users that make cybersecurity mistakes –cybercriminals make mistakes, too.

Kaspersky Lab highlighted a number of mistakes that attackers had recently made that revealed their presence or tracks, including making use of the internet via a hacked company, as well as coding errors.

The security firm is quick to note the irony of attackers that exploit code weaknesses in business software, but whose exploit software has some of the same bugs.