People can be a business’s greatest asset, but they can also be its biggest cyber security liability. Cyber criminals are drawn to the path of least resistance and, when compared to today’s highly advanced security solutions, that’s often what users represent.

Using data collected in Dell Technologies’ End User Security Survey, our team has compiled a list of eight all too common cyber security worst practices.

Accessing confidential data over public Wi-Fi. The risks of connecting to unsecured public Wi-Fi are plentiful and yet the message hasn’t connected with users. Despite the ease with which attackers can use these services to execute man-in-the-middle attacks, users continue to lean on public Wi-Fi. In fact, in Dell’s survey, 46% of respondents admitted to not just using public Wi-Fi, but using it to access company data.

Conducting work via personal email. IT teams can restrict the flow of information into and out of their company over corporate email. Personal email, however, is a different story. Yet, very nearly half (49%) of those surveyed said they conduct business using their personal accounts. This effectively shuts out those in IT tasked with keeping users and company data secure.

Emailing confidential data to those outside the company. Employees’ bad email behavior goes beyond blurring the lines between personal accounts and business workloads. Just under half (45%) acknowledged emailing sensitive files outside the organization. Even though controls exist for managing how data is handled, the risk of misuse remains high.

Taking information with them when they go. Far too often, when an employee leaves a company, he or she doesn’t do so empty-handed. Instead, 35% say it is routine to take data with them when they leave. While the exact nature of the data exiting end users are helping themselves to wasn’t specified, employers would likely prefer it to stay in-house.

Putting their faith (and company data) in over-the-counter cloud. For some users, Shadow IT has become a way of life. More than half (56%) said they use publicly available tools including Dropbox and Google Drive for storage and collaboration. It’s unknown whether or not they are aware of the dangers of this approach.

Seeing security as “somebody else’s problem.” First the good news: According to Dell’s research, 65% of employees see security as their duty. They believe it is up to them to educate themselves on threats and behave responsibly. What enters this into the domain of cyber security worst practices is the fact that 35% still see themselves as removed from their company’s security challenges.

Suffering from security overconfidence. Confidence is good, but too much can be hazardous. Dell’s study found just 22% of employees are worried that, someday, they might cause a cyber-attack or some other security disaster. In truth, any employee, regardless of position or age, could become a victim.

Failing to take training to heart. The majority of those Dell surveyed (63%) are required by their employers to attend cyber security readiness training. However, some are struggling to apply those lessons. Just under one-in-five (18%) engaged in unsafe behaviors post-training without realizing what they were doing was wrong. Furthermore, 24% knew their actions were unsafe, but carried on anyway.

The world's biggest hotel chain Marriott International disclosed that unknown hackers compromised guest reservation database its subsidiary Starwood hotels and walked away with personal details of about 500 million guests.

Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion in 2016. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

The incident is believed to be one of the largest data breaches in history, behind 2016 Yahoo hacking in which nearly 3 billion user accounts were stolen.

The breach of Starwood properties has been happening since 2014 after an "unauthorized party" managed to gain unauthorized access to the Starwood's guest reservation database, and had copied and encrypted the information.

Marriott discovered the breach on September 8 this year after it received an alert from an internal security tool "regarding an attempt to access the Starwood guest reservation database in the United States."

On November 19, the investigation into the incident revealed that there was unauthorized access to the database, containing "guest information relating to reservations at Starwood properties on or before September 10, 2018."

The stolen hotel database contains sensitive personal information of nearly 327 million guests, including their names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date, and communication preferences.

What's worrisome? For some users, stolen data also includes payment card numbers and payment card expiration dates.

But, according to Marriott, "the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)." Attackers need two components to decrypt the payment card numbers, and "at this point, Marriott has not been able to rule out the possibility that both were taken."

"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," the company said in a statement.

Marriott confirmed that its investigation into the incident only identified unauthorized access to the separate Starwood network and not the Marriott network. It has also begun informing potentially impacted customers of the security incident.

The hotel company has begun notifying regulatory authorities and also informed law enforcement of the incident and continues to support their investigation.

Since the data breach falls under European Union's General Data Protection Regulation (GDPR) rules, Marriott could face a maximum fine of 17 million pounds or 4 percent of its annual global revenue, whichever is higher, if found breaking any of these rules.

The United States Postal Service has patched a critical security vulnerability that exposed the data of more than 60 million customers to anyone who has an account at the USPS.com website.

The U.S.P.S. is an independent agency of the American federal government responsible for providing postal service in the United States and is one of the few government agencies explicitly authorized by the United States Constitution.

The vulnerability is tied to an authentication weakness in an application programming interface (API) for the USPS "Informed Visibility" program designed to help business customers track mail in real-time.

The attacker could have pulled off email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data from as many as 60 million USPS customer accounts.

USPS Ignored Responsible Disclosure For Over a Year

The unnamed researcher reportedly discovered and responsibly reported this vulnerability last year to the Postal Service, who ignored it and left its users’ data exposed until last week when a journalist contacted USPS on behalf of the researcher. After that, the Portal Service addressed the issue within just 48 hours

USPS Responds by Saying:

"We currently have no information that this vulnerability was leveraged to exploit customer records. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."

Instagram has recently patched a security issue in its website that might have accidentally exposed some of its users' passwords in plain text.

The company recently started notifying affected users of a security bug that resides in a newly offered feature called "Download Your Data" that allows users to download a copy of their data shared on the social media platform, including photos, comments, posts, and other information that they have shared on the platform.

To prevent unauthorized users from getting their hands on your personal data, the feature asks you to reconfirm your password before downloading the data.

However, according to Instagram, the plaintext passwords for some users who had used the Download Your Data feature were included in the URL and also stored on Facebook's servers due to a security bug that was discovered by the Instagram internal team.

The company said the stored data has been deleted from the servers owned by Facebook, Instagram's parent company and the tool has now been updated to resolve the issue, which "affected a very small number of people."

Affected users are highly recommended to change their passwords and clear their browser history as soon as possible.

If you have not received any notification from the photo-sharing service yet, it means your Instagram account and password are apparently not affected by the bug. If you are still concerned about the privacy and security of your account, you can also consider changing your password.

Users are also advised to enable two-factor authentication (2FA) and always secure their accounts with a strong and unique password.

Black Friday is no longer a one-day shopping bonanza on the day after Thanksgiving, it now is a newly formed shopping season that starts right after Halloween and can continue for weeks after Thanksgiving, paving the way for the Christmas shopping season.

Every year retailers are determined to get the most out of the shopping mood that engulfs deal-seekers around Thanksgiving, however, cyber criminals also start being active during shopping seasons. Here are some tips so you can safely enjoy Black Friday and Cyber Monday shopping.

HTTPS

One of the most common mistakes that online shoppers do is to perform transactions on websites that do not support the secure version of HTTP. If the site you are entering lacks a little padlock next to the URL, it may be time to move on to the next website that offers the same product but has a secure connection. Information transmitted over HTTP can be easily recorded. Sometimes even the website owners do not know that the data of their clients is being stolen by a third party. Always make sure that the URL of the store you are visiting starts with HTTPS.

Antivirus software

Having antivirus software installed on the devices you use to make online purchases is as essential as having insurance on your car. Quality antivirus software will prevent you from even entering shady websites; it will keep you safe while you browse by stopping malicious processes overtake your device, it will filter your emails and will always notify you if something does not look quite right. Antivirus software companies spend millions of dollars on research and development and have dedicated teams who make sure you are not an easy target.

Password hygiene

Registering on random websites here and there might be tempting while you look for the next Cyber Monday deal but some of the sites that you visit may not be as secure and may try to steal your login details and use them elsewhere. One of the best ways to prevent this from happening is not to use the same password on different websites. Instead, write down your password on a physical paper and store it safely, or use a password manager. Nearly half of the people living in the western world admit that they reuse their password on multiple websites. This means that if one of these websites gets hacked, hackers will be able to gain access to your other legitimate accounts.

Update your OS and also your software

Updates not only make your products better but also patch vulnerabilities. So if you decide not to update your software or operating system, the work of the IT security experts is useless as the vulnerabilities that they’ve managed to patch remain unfixed on your device. This is one of the reasons, so many hospitals get hacked, they simply do not have the time to reboot and update.

Phishing emails

If you receive a Black Friday deal in an email that rushes you to buy something at a fantastic price, and you do not recognize the email or the outlet that is approaching you, just ignore it. Do not click on any of the links inside and if possible, do not even open the email. Just move it to your junk folder and move on with your life.

Self-behavior

You have to be cautious and avoid deals that are too good to be true. If you receive a text message giving you a 95% off Ray Ban sunglasses, or the latest iPhone XR for a couple of hundred dollars, you are most likely being scammed. What makes things worse is that your email or phone number has been sourced by criminals who openly believe that you aren’t sharp enough and you may fall for such a trick.

Public Wi-Fi networks

Yes we get it, data is expensive, and your monthly wireless bill is getting higher and higher. Next time you are on lunch break enjoying a meal away from the office you may feel tempted to join those free Wi-Fi networks you see. However, don’t do it, especially when you are shopping. When you join an unsecured Wi-Fi network every person with average IT knowledge will be able to see your online activity, and possibly even record everything that you type. This includes card details, SSN, passwords, etc.

Credit Card

If you are not a big fan of credit cards, we still advise you to use one for the online purchases. This does not mean that you have to carry your balance, you can pay it right off. If somehow hackers manage to steal money from your checking account it won’t be easy to claim it back. However, most credit cards come with insurance so even if you end up being a victim of a cybercrime, your credit card company may reimburse you. However, it is always best to be cautious and simply avoid becoming a victim.