Five Things Employees Do That Put Your Organization at Risk

By Ernie Smith
Saturday, July 1, 2023
Five Things Employees Do That Put Your Organization at Risk

Your employees probably aren’t trying to put your organization at risk. (If they are, that’s a whole other discussion.)

Nonetheless, association pros are fallible, and that can mean cybersecurity problems. Here are just a few of the things that employees might be doing, unintentionally or otherwise, that can put your organization at risk.


1. Leaning on “Shadow IT”
When employees don’t have quite what they need from your IT department, they may hunt for it themselves. That could introduce a problem known as “shadow IT,” the practice of utilizing unsanctioned technology to do your work.

It’s not a new problem—we first covered it in 2014—and it’s extremely widespread. The website G2 Track Resources puts the percentage of workers using unsanctioned SaaS tools at 80 percent, and suggests that unknown cloud usage may be 10 times that of known cloud usage.

There can be some benefits to shadow IT—it can inspire new approaches, most famously when the iPhone quickly found a home with many executives despite not initially being sanctioned by IT teams. But for the most part, the best way to handle it is through policy.

“We would put a lot of the foundational IT stuff into the employee handbook, or into the IT security policy, or the disaster recovery plan, or the incident response plan,” said Darrell Poe, vCIO of B/Net Systems (and a former CompTIA technology evangelist), last year. “And those policies generally go out to staff, and they have to sign—especially the employee handbook.”

2. Using Weak Passwords
Is your password “password”? Maybe you should fix that. Admittedly, passwords have long been an imperfect tool for protecting sensitive data, in part because of how easy they are to misuse—and, as the case may be, heavily reuse.

Problematic passwords such as “Password” or “123456” are easy to spot, but perhaps the more dangerous issue is the use of passwords across numerous devices. Two-factor authentication can help with this, but it has its limits—for one, utilizing phone numbers as the second factor can create security risks.

If you do go with two-factor, use an app—or even better, embrace physical security keys that can prevent logins unless said key is accessible.

3. Falling for Phishing Attacks
Security practices can only go so far if you’re not in a security mindset—and the inbox and the phone are key places where that mindset can lapse.

Phishing scams are traditionally associated with email, but mobile attacks have been on the rise of late, with many utilizing SMS links as a way to get into your personal information. For association pros, spear phishing, or phishing attacks that are targeted to a specific person, are also on the rise.

For IT professionals, this may be a great place to offer employees additional training, perhaps through an online quiz.

4. Failing to Update Software in a Timely Manner
Using an old version of an application, web browser, or operating system means you don’t get the latest updates—and in some cases, such as comfort level or avoiding a significant change to employees’ routines, this can even be desirable.

But a failure to update software could be costing you an opportunity to get the latest performance improvements, while also creating inroads for hackers. As the security firm Sophos puts it on its website:

Outdated software is a goldmine for hackers. Companies know this and when they locate a weakness in their own system, they will update the operating system to close those weaknesses and shut down that avenue of attack. But if you don’t update your device, that vulnerability still exists, and hackers know that many users are lackadaisical about updating.

(They add that 40 percent of adults don’t update their computers or mobile devices—which is particularly a problem in the case of hardware that tends to be passively used, such as a home router.)

There is, however, another challenge of software upgrades worth keeping in mind—upgrading too quickly. If your association is reliant on software that works with a certain version of an operating system or your workflow is tied to a certain version of an application, you could be creating technical headaches by forcing through a headache before your company is ready. Mitigate this concern by upgrading when your IT team says you can.

5. Saving Organizational Data to Personal Devices
You may like using your personal laptop rather than your work device, but your bosses probably don’t want you to.

This is a problem for multiple reasons—in fact, in many ways it’s a culmination of all of the other items on this list. Using a personal device basically makes shadow IT the default (scattering corporate data even further), while giving IT teams no control over password use, security tools to avoid problems like phishing, or device management capabilities to encourage upgrades to happen in a timely manner. In other words, it’s the worst of all worlds when it comes to bad practices.

One way to work around an employee’s desire to stick with their home computer? Give your employees a choice in how their work computer is set up—including additional choices in the software tools they use. Don’t force them to use Microsoft Office if they prefer doing things in Google Apps, just as an example.

By making the experience as painless as possible for employees, it makes them more likely to follow best practices.