Human Error in Cyber Security: Defending Against the Weakest Link
Oct 17, 2019
In 2018, cyber risk took center stage with cyber-attacks and data privacy scandals arising from the enforcement of GDPR. The most prominent of these scandals was Facebook’s Cambridge Analytica scandal where Facebook collected data from over 87 million users without their permission through an app developer who then sold it to Cambridge Analytica. The data was then used to allegedly tamper with the 2016 presidential election. Other prominent data breaches include Quora where hackers gained access to its system, retrieving over 100 million user’s account information, and Chegg where unauthorized access was gained on the company’s database comprising over 40 million accounts.
Consumer data protection and cyber security practices will be paramount moving forward in safeguarding a company’s information and protecting their clients’ data. So, where should a company start? This security enforcement begins with people. Your employees are your greatest asset, but can also be your weakest link. In a number of recent studies conducted by research organizations, they have all revealed human error to be the leading cause of data breaches in the United States. According to Experian’s Managing Insider Risk Through Training and Culture report, over 66% of the data protection and privacy training professionals that were surveyed labeled their employees as the weakest link when attempting to safeguard their organization from cyber threats. Another study stated approximately 47% of business leaders said human error had caused a data breach at their organization – reporting employee negligence being the main cause of data breaches.
As companies move forward in safeguarding and protecting their sensitive information, how do we combat human error in cyber security? There are important tactics to start with and our experts at Secuvant are here to help.
Types of Human Error
Insider threats can occur through human error or malicious intent, so its important organizations take time to assess their employees to identify abnormal behaviors and patterns of suspicious activity. Human error takes form in three different ways which play a role in successful security attacks:
- User Misuse – This occurs when employees misuse company resources, such as checking online bank accounts and personal email addresses, leaving the company vulnerable to a cyber-attack through malware or exploitation of credentials.
- User Mistake – Humans make mistakes all the time, primarily due to carelessness or negligence. Clicking on unknown emails or downloading unknown files, filling out a form with personal information without confirming the legitimacy of the company or website, not disposing properly of sensitive documents, or sending unencrypted emails with sensitive information are all mistakes employees make.
- User Malice – A malicious insider threat including fraud, theft of confidential or valuable information, theft of intellectual property, or sabotage of the organization’s networks and computer systems.
Insider threat statistics from Ponemon Institute include employee or contractor negligence being responsible for two out of three insider threat incidents, costing organizations an average of $3.8 million per year or $238,000 per incident. Moreover, privileged users are seen as the biggest insider threat risk in 55% of organizations surveyed.
How to Combat Human Error in Information Security
The SANS Institute’s Protecting Against Insider Threats discusses the key factors in helping to enhance security to protect a company from internal attacks. SANS recommends the following four best practices that should be implemented in every organization:
1. Identifying and Classifying Assets and Owners
Just as the name suggests, this is identifying and monitoring the most important assets of a company. For example, if money is your company’s most important asset, you will need to know how it is accessed and guarded, who protects it, how much there is, and how it is safe from being altered. The same precautions should be made regarding data and any other important assets. This list should be re-evaluated and reviewed against job roles that need this access and should be adjusted accordingly.
2. Examining Accessibility and Implementing Related Controls, Such as Separation of Duties Least Privilege
This step is similar to identifying owners, as this determines who should and shouldn’t have access to sensitive information. There are questions you need to ask before allowing access:
- Is there a way to detect if an unauthorized person has access?
- Does this person actually need access to perform their job? Can they rely on others to obtain the information they would need?
- Are there any controls in place to limit access to those who are granted permission?
Not everyone in the company needs access to every piece of information, so it’s important to continuously re-evaluate to ensure only necessary people can access an asset.
3. Conducting Auditing Practices and Change Control
Audits should be an ongoing practice that your company does often. This ensures that as employees come and go they can’t access any information they shouldn’t see. Change control and auditing also allows you to keep up with who has access, who needs access, and who needs access revoked.
4. Hardening File Shares and User Permissions
The last step is to make sharing limited to only those who need it. For example, does everyone in the company need to have access to banking records? Probably not, so it’s important to implement restrictive sharing on sensitive information.
Through these methods, combatting different types of human error becomes simpler and reduces the risk of your employees being responsible for a data breach.
Educating and Training Employees On Human Error in Cyber Security
So, how do we protect from human error and insider threats? It begins with employee education and training on cyber security best practices. As the saying goes, you don’t know what you don’t know. Implementing a cyber security program and conducting cyber security workshops helps communicate and facilitate an environment of security awareness, enabling employees to identify, detect, and protect against cyber risks and threats. Education on the top three cyber-attacks on employees – malware, ransomware, and phishing – will better prepare your employees to recognize and report threats as they occur, in order to communicate it across the entire organization. Furthermore, limiting email and user privileges, to allow for little access to data and company systems will enhance protection from unauthorized users gaining access through employees’ human error. For more information on protecting your organization from insider threats or to learn more about our cyber security workshops, contact our security professionals at firstname.lastname@example.org or 855-732-8826.