3 Types of Human Risk & How to Prevent it in Your Organization
Jun Wed, 2018
Sources of Human Risk
All humans make mistakes, but it is the consequences that organizations are faced with when that mistake leads to a security incident. The weakest link when implementing a cybersecurity program in your organization are your employees. Recent research has stated that human error is cited in 95% of all security incidents, and that hackers have focused their attention on humans as opposed to machines to breach an organization. An example of this is the increase in social engineering and phishing attacks that have occurred within the last year to manipulate employees into releasing credentials and personal information.
With the increase in cybercrime targeting organizations through their employees, how can you safeguard your company’s information to avoid becoming a victim? We will review the three main types of human error that play a role in successful security attacks, and provide key takeaways for instilling a culture of information security at your organization.
Misuse of company resources happens frequently. Employees will use their company devices for personal use such as checking online bank accounts, personal email addresses, or even conducting cryptocurrency mining (yes, we have seen this before). With these activities happening so often, it leaves the company vulnerable to a cyber-attack through malware or exploitation of credentials.
Additionally, there has been an increase in data misuse where an employee has authorization to access sensitive company information within their systems. An example of this is the “Uber God View” incident that occurred in 2015, where an employee violated the company’s policy by using its God View tool to track a journalist who was late for an interview with an Uber executive. The God View tool allows Uber to track both Uber vehicles and customers for business purposes solely.
Takeaway: It is important organizations have a clear policy in place to prevent users from using company resources for personal use and to prevent data misuse for personal intent. Moreover, implementing real-time network monitoring will provide greater visibility into how your employees are using the data as stated in the company’s policy.
As stated above, mistakes happen all the time, but most often than not they occur because of carelessness, everyday bad habits, and/or because of the lack of information security training at an organization. Examples of mistakes that can result into a data breach include, clicking on unknown emails or downloading unknown files, filling out a form with personal information without confirming the legitimacy of the company or website, not disposing properly of sensitive documents, or sending emails with sensitive information unencrypted. The list can go on, but these are mistakes that happen all the time without much thought into the risks involved with these actions, that can leave an organization vulnerable and exposed to a potential data breach.
Takeaway: Fostering a culture of information security will build a resilient network environment, minimizing the cyber risks correlated with human errors. Your organization should have processes in place to report suspicious emails and attacks, and provide training with security awareness and best practices for safeguarding sensitive information.
When human error does not result from either misuse or mistake, it’s considered a malicious insider threat. These types of threats could include, fraud, theft of confidential or valuable information, theft of intellectual property, or sabotage of the organization’s networks and computer systems.
According to the Insider Threat 2018 Report, 90% of organizations feel vulnerable to insider threats. CEO and Founder of Cybersecurity Insiders, Holger Schulze, stated, “Insider threats are often more damaging than attacks from malicious outsiders or malware. That’s because they are launched by trusted insiders – both malicious insiders and negligent insiders with privileged access to sensitive data and applications.”
Takeaway: It’s imperative organizations take time to assess their employees and analyze factors such as, characteristics, abnormal behaviors, and patterns of suspicious activity. The National Cybersecurity and Communications Integration Center released a guide called, Combatting the Insider Threat, which can assist organizations in detecting deviations in behavioral norms to detect and prevent insider threats from occurring.
Secuvant can assist your organization in detecting and preventing cyber threats caused by human error. Contact us at (855) 732-8826 or firstname.lastname@example.org to have a security professional answer your questions today