Human Error: Defending Against the Weakest Link
Feb 20, 2019
Recap of 2018’s Prominent Data Breaches
This past year cyber risk took center stage with cyber-attacks and data-privacy scandals arising from the enforcement of GDPR. The most prominent being Facebook’s Cambridge Analytica scandal where Facebook collected data from over 87 million users without their permission through an app developer who then sold it to Cambridge Analytica. The data was then used to allegedly tamper with the 2016 presidential election. Other prominent data breaches include Quora where hackers gained access to its system, retrieving over 100 million user’s account information, and Chegg where unauthorized access was gained on the company’s database comprising over 40 million accounts.
Consumer data protection and cyber security practices will be paramount this year in safeguarding a company’s information and protecting their clients’ data, and it begins with people. Your employees are your greatest asset, but can also be your weakest link. In a number of recent studies conducted by research organizations, they have all revealed human error to be the leading cause of data breaches in the United States.
According to Experian’s Managing Insider Risk Through Training and Culture report, over 66% of the data protection and privacy training professionals that were surveyed labeled their employees as the weakest link when attempting to safeguard their organization from cyber threats. Another study stated approximately 47% of business leaders said human error had caused a data breach at their organization – reporting employee negligence being the main cause of data breaches.
Safeguarding Against Insider Threats
Insider threats can occur through human error or malicious intent, so its important organizations take time to assess their employees to identify abnormal behaviors and patterns of suspicious activity. Human error takes form in three different ways which play a role in successful security attacks:
- User Misuse: employees misuse company resources such as checking online bank accounts and personal email addresses leaving the company vulnerable to a cyber-attack through malware or exploitation of credentials.
- User Mistake: humans make mistakes all the time, primarily due to carelessness or negligence. Clicking on unknown emails or downloading unknown files, filling out a form with personal information without confirming the legitimacy of the company or website, not disposing properly of sensitive documents, or sending unencrypted emails with sensitive information are all mistakes employees make.
- User Malice: a malicious insider threat including fraud, theft of confidential or valuable information, theft of intellectual property, or sabotage of the organization’s networks and computer systems.
Insider threat statistics from Ponemon Institute include employee or contractor negligence being responsible for two out of three insider threat incidents, costing organizations an average of $3.8 million per year or $238,000 per incident. Moreover, privileged users are seen as the biggest insider threat risk in 55% of organizations surveyed.
The SANS Institute’s whitepaper on Protecting Against Insider Threats is a good guide that discusses the key factors in helping to enhance security to protect a company from internal attacks. Here are four best practices that should be implemented in every organization:
- Identifying and classifying assets and owners;
- Examining accessibility and implementing related controls such as separation of duties least privilege;
- Conducting auditing practices and change control; and
- Hardening file shares and user permissions.
Employee Education & Cybersecurity Training
So, how do we protect from human error and insider threats? It begins with employee education and training on cyber security best practices. As the saying goes, you don’t know what you don’t know. Implementing a cyber security program and conducting cyber security workshops helps communicate and facilitate an environment of security awareness, enabling employees to identify, detect, and protect against cyber risks and threats. Education on the top three cyber-attacks on employees – malware, ransomware, and phishing – will better prepare your employees to recognize and report threats as they occur, in order to communicate it across the entire organization. Furthermore, limiting email and user privileges, to allow for little access to data and company systems will enhance protection from unauthorized users gaining access through employees’ human error.
For more information on protecting your organization from insider threats or to learn more about our cyber security workshops, contact our security professionals at firstname.lastname@example.org or 855-732-8826.