Why Human Error Is Your Company’s Biggest Cybersecurity Threat—and What to Do About It
In the early days of the internet, the “hacker” archetype was often portrayed as a highly intelligent, slightly erratic, and somewhat mysterious individual who had an innate understanding of computer code and a cavalier attitude toward authority. While hackers are still venerated in some circles, this concept of hacking and cybersecurity, in general, is now outdated.
Most of today’s cybercriminals don’t rely on tactics that involve breaching a single personal computer, and they’re not particularly interested in stealing consumers’ identities anymore. According to the Identify Theft Resource Center, a nonprofit, the number of individual victims of cybercrimes fell by 66% in 2020 compared to just one year previous.
Cybercriminals are instead attacking large corporations, institutions, and even governments. While these targets are often monoliths with expansive cybersecurity budgets, cybercriminals no longer need to actively break into their systems to hold their networks for ransom or steal valuable data.
They only need to wait for an employee to make a mistake.
Most Data Breaches Are Caused by Employee Mistakes
Almost anyone who uses a computer has received a message from a tech company telling them to install a vital security patch immediately to protect against an active threat. Indeed, many cybersecurity reports seem to indicate that back-end vulnerabilities in software and operating systems are the key proponent of security breaches.
But according to researchers at Stanford University, this isn’t the case. A joint study between Stanford researchers and security firm Tessian found that 88% of data breaches are caused by employee mistakes—human error. Entitled “Psychology of Human Error” the study also highlighted the fact that employees are generally unwilling to admit when they’ve made a mistake for fear of the organization judging them too severely.
Surprisingly, the study also found that nearly 50% of employees are “very” or “pretty” sure they’ve made an error at work that could have led to security issues.
According to the data, younger employees are five times more likely to admit to errors. However, the study also found that older employees are less vulnerable to phishing scams. Only 8% of workers over the age of 51 said they had clicked on a phishing link.
Employee Mistakes to Watch For
While it’s impossible to imagine every scenario that could lead to a data breach, there are a few common mistakes you and your colleagues should watch out for. By making everyone in your organization aware of these issues, you could potentially prevent a serious threat.
Here are a few of the most common mistakes that lead to data breaches.
Weak Log-In Credentials
Weak log-in credentials are a consistent problem in the business world as well as for consumers. Passwords are still the primary gateway between a person and their data. If a password is short, contains non-unique characters, and is easy to guess based on someone’s knowledge of the account holder, it’s all too easy for someone to access systems they shouldn’t.
Hackers use automated tools to repeatedly test the limits of password-protected portals, searching for combinations that will gain them access. But they also rely on the dark web to obtain log-in credentials that have been exposed in other security breaches.
According to one study, the average person has 100 passwords, which means the average person has about 100 different accounts with different organizations. If any or all of those passwords are the same and one of those organizations suffers a data breach, that information could wind up for sale on the dark web. This puts the other accounts at risk of being accessed inappropriately.
Every password an employee uses should be unique. Employees should be encouraged to create unique passwords for all their personal accounts as well. Many companies now use enterprise-wide password management tools that automatically make employees reset passwords at certain periods. This also makes it easy for employees to access their accounts without having to remember passwords, write them down, or store them insecurely.
Careless Handling of Data
Today’s employees work with massive amounts of data every day. It’s only a matter of time before they make a mistake while handling that data.
Data can be mishandled in a variety of ways. An employee could accidentally send sensitive information in an email. They could share sensitive data with colleagues over unsecured messaging services. While working out of the office, they could send sensitive data over an unsecured wireless network where it can be hijacked by hackers.
These types of errors occur in even the most secure organizations. In 2018, the U.S. Marine Corps Reserve suffered a data breach and exposed thousands of servicemembers’ information. All it took was for someone to send an unencrypted email with an attachment containing the data.
Training and enforcement of zero-trust data security protocols are necessary to protect company data.
Outdated or Unauthorized Software
As we noted previously, software that hasn’t been updated with the latest security updates can act as a backdoor for hackers. When hackers find a vulnerability, they use software to scour the web searching for systems that haven’t been updated or they target large institutions that they know use the software.
Unfortunately, many employees neglect to manually update software and operating systems when they are pressed for time and simply want to do their work.
Unauthorized software can also lead to a security breach. If one of your employees installs insecure software on one of your company’s terminals, it could compromise the system by allowing outsiders to access it. A simple program like a video game or personal time management app may seem harmless, but if it hasn’t been vetted by the IT department, it could lead to a potential breach.
领英推荐
Lack of Knowledge and Awareness
There’s a simple reason why hackers now rely so much on social engineering attacks: They work.
Employees who haven’t been trained to recognize phishing emails, malicious links, telecommunication scams (“vishing”), and other common social engineering attacks like baiting and pretexting are more likely to engage with them than those who have been made aware of them.
Cybersecurity software can filter out a significant number of social engineering threats. But because they target people rather than systems, these threats must also be combatted by your employees. Simple training programs can help, but you can also establish protocols and processes for verifying the veracity of communications like emails, text messages, and more.
Keep in mind that social engineering attacks don’t just occur over email. They can occur in other communication-heavy spaces like video meeting tools, chat tools, and even in-person social situations.
Protecting Your Company from Human Error
It’s impossible to expect all your employees to act perfectly all the time. That’s why the systems and processes you put into place to prevent human error are so important. Instead of relying solely on individuals to do the right thing, you can rely on a network of protocols to ensure everyone is engaging in best practices to keep the company safe.
Protecting your company from human error boils down to four basic steps.
Update
Ensure all your software solutions, apps, and operating systems are updated with the latest patches. Sign up for automatic updates wherever possible. Your IT department should be aware of when updates are available, and they should routinely update your systems on a schedule.
You should also update your security protocols regularly to take new threats into account. Make sure your employees practice secure habits when communicating internally and externally. Put encryption systems, firewalls, password management and governance tools, and password requirements in place to keep your systems secure.
Educate
Educate your employees about the latest cybersecurity risks and pay special attention to social engineering attacks. Your employees must be able to recognize attacks like phishing on their own.
Simple steps like teaching your employees to verify the authenticity of an email can go a long way.
Enforce
Enforce your new protocols using the zero-trust security framework. This framework requires all users to be authenticated and continuously validated, whether they are inside or outside of the organization’s network.
Require your employees to change their log-in credentials regularly. Create strong password requirements or require users to rely on an automated password generator to ensure their passwords are secure. Use password protection software to streamline this process.
Create a database of permitted software and ensure your employees only install solutions that have been vetted by your IT team. Check company devices regularly to ensure no unauthorized programs have been installed.
Monitor
Finally, monitor employee activity when they are using company devices. You should also consider requiring employees to use monitoring software on their personal devices if they intend to use them for work while working from home.
Some employees may feel that this is invasive, but it’s a necessary measure to ensure they are staying secure when accessing your company’s network remotely. To ease your employees’ concerns, remind them that they only need to engage the monitoring software when they are working and connected to the company network.
Harness the Latest Cybersecurity Capabilities with Uvation
Uvation takes a holistic approach to cybersecurity. We can provide you with the latest cybersecurity technologies as well as comprehensive services like network monitoring, incident response, and SOC as a service.
If you’re struggling to enact security standards and are concerned about human error, we can help you establish the processes you need to keep your data safe.
Contact us today to learn more about our capabilities.