Avoid Cybersecurity Nightmares this Spooky Season

Seemingly unpopular opinion: I am not a scary movie fan.

My rationale – and excuse – for avoiding scary movies has always been that I have an overactive imagination. A frightful film is grounds for sleepless nights, no matter how far-fetched the storyline may seem.

Some of my colleagues and I landed on the scary movie topic (and lighthearted debate) on a recent elevator ride. The initial conversation started with discussion of the broad spectrum of themes represented by entries in a local scarecrow contest – some traditional and some menacing.

But that got me thinking too – the scariest thrillers of all can be the ones anchored in reality. And while scarecrows were originally designed to help protect crops, who scares off the digital villains?

“Scary” doesn’t exist only in scary movies and Halloween decor.  While ‘‘’tis the spooky season,” October is also Cybersecurity Awareness Month. In the digital world we live in, villains can linger around every cyber-corner. They infect our inboxes, they lure us with clickbait, and they do their darndest to ‘get inside the house’ built of our personal information and corporate data.

To gauge just how scary the cybersecurity landscape is, I turned to the popular social media site, Reddit.

The following is a small sample of anecdotes featuring the bad, the worse, and the funny from the myriad of ways to poorly handle cybersecurity. These are compiled from several /cybersecurity threads addressing questions like, “What’s the scariest cyber threat you’ve encountered?” and “What are your cyber security horror stories?”

Overly transparent salary information

“W-2s for all 50,000 employees, including the CEO, at a Fortune 100 in a single PDF file on a network share accessible by any authenticated user (FT employee, contractor, vendor), accessible for 11 years without any logging on who may have accessed it.”

u/ Fantastic-Quail1288

Exposing personally identifiable information (PII) includes legal ramifications. In a case like the above, it also creates cyber-susceptibility for each individual exposed.

Forgo the Firewall?

“I was on a network survey and they told me one of their sister-sites put their entire network in their DMZ for “ease of access”

I bout stroked out.”

u/ ItsYaBoiSoup

DMZ stands for “demilitarized zone,” and is on the wrong side of a firewall regarding security. Firewalls act to keep the bad guys out of the important areas of your network – “ease of access” in this example means leaving the entire network exposed to mal-intended entities.

Passwords, mismanaged.

“Had an employee storing work related passwords and credentials in their personal password manager. That was a fun one.”

u/ Inubito

Personal password managers are not necessarily encrypted and can end up attached to vulnerable accounts. Offering an approved password manager can help secure logins and help prevent them from ending up in unauthorized spaces.

Password strength: Weak.

“Large health clinic 3-4 years ago.

RDgateway, all of the doctors login passwords were password.”

u/ PitcherOTerrigen

Luckily, when signing up for most services today the password field will prompt you to create strong passwords. Ease of access for a team should never compromise access security.

Ghost Associates

“During an audit I discovered that an employee that never got hired had active access to our environment for over half a year. That hiring manager got an ear full from me. Because of that I revamped the provisioning and audit process.

The second but probably worse, a student found a credential dump on the website. Was before my time.”

u/ RantyITguy

Digital cleanup is often overlooked. Performing regular audits to monitor file storage, employees’ accesses and permissions, as well as implementing password lockouts are important steps to increasing security.

Malware Malady

“Earlier in my career, I worked at a large financial (100k employees) with a huge network, all IT support was outsourced.  We had an outbreak of old, dated malware and we were really confused why it was so hard to manage until the company we outsourced IT support to admitted to shutting off all AV scanning on the NAS due to performance complaints.”

u/ FishHikeMountainBike

A couple of shorthand terms to cover here, AV is antivirus and NAS stands for ‘network attached storage’. Regular monitoring is an imperative piece of network and file security. Additionally, a good partnership should never expose your business by compromising data security such as in this post.

Easy Infiltration

“So, I was at a cybersecurity conference, and we were participating in a CTF as the red team. The goal was to break into the blue team’s network, find vulnerabilities, steal some data, and get out quietly. Everything was going smoothly-we found a vulnerability in their VPN pretty quickly, just a misconfiguration they overlooked. Within 15 minutes, we were inside their network.

Now, one of our guys found their media server, which controlled the PA system and projectors in the conference hall. Instead of just doing our job and quietly exfiltrating data, he thought it’d be hilarious to mess with their sound system. So, he wrote a script to play this creepy horror movie soundtrack over the speakers in the main conference room.

At that exact moment, there was a talk going on about “the importance of security in corporate networks,” and suddenly, the room was filled with eerie whispers and strange noises. The presenter froze, and people in the audience started looking around, not knowing what was going on. It went on for a couple of minutes before the organizers figured out that someone had compromised their PA system. And, of course, they immediately looked at us, even though we were sitting there trying to act like we had nothing to do with it.

In the end, our “joker” got a stern warning, and we were on a short leash for the rest of the event.”

u/ Front-Buyer3534

This one had to be included for the laughs but highlights how the slightest detail – a misconfigured VPN in this case – can expose systems to greater threats from infiltrators.

Aside from getting a laugh from that last example, after reading through these threads I wouldn’t claim I calmed my nerves, as one frightening takeaway lingers:

Mishandling data and access in our cyber world is an easy misstep to make.

From a business perspective, failing to take data and cyber security seriously can be costly – IBM’s 2024 report noted the global average cost of a data breach is 4.88 million USD, with the Identity Theft Resource Center reporting over 2,000 cyberattacks in 2023.

To avoid falling victim to a cyber breach, it’s important to prioritize strong cybersecurity practices and work with trusted cybersecurity partners. Ways to step up your cybersecurity game include:

1. Tighten password security, with regular password updates and multi-factor authentication. This diminishes exploitable weak points.
2. Implement robust access controls. This ensures only authorized personnel have access to appropriate portals and information.
3. Perform regular audits and monitoring. This helps catch potential vulnerabilities and suspicious activity.
4. Train all members of your teams in cybersecurity awareness, and periodically reinforce this training. This helps ensure everyone is part of your defense.

By fostering a culture of awareness and improving processes, you can fortify your defenses and stay ahead of threats, protecting yourself from costly breaches – and reduce the chance of ending up in the next thread of cybersecurity horror stories.

Related Articles: