The Role of Human Error in Successful Cyber Security Breaches
10 August 2017 10:30
With over 90% of all cyber security breaches coming as a result of human error, it's safe to say that mistakes in the workplace are more than costly. So what mishaps are your end users making and what exactly are the repercussions to your organisation?
Many of these are successful security attacks from external attackers who are preying on human weakness, waiting patiently for employees to be lured into providing access to sensitive information. Their errors can be incredibly costly, especially since the insiders involved have access to a host of sensitive data.
One of the greatest impacts of a successful security breach is the exposure of this kind of information, loss of intellectual property and the infection of malware. A report by Vormetric reported that 59% of respondents agree that most information technology security threats that directly result from insiders are the result of honest and simple mistakes, rather than the abuse of privileges.
The Threat of Human Error
One of the most common mistakes made by employees is the sending of sensitive documents to unintended recipients. This is relatively easy to solve when deploying security controls to monitor sensitive information being leaked out of the organisation.
These controls were once considered complex to deploy, but have now been made considerably easier to implement by vendors in recent years. This has dramatically reduced the level of user involvement required and increased the use of such controls.
These tools can also prevent users from engaging in inappropriate behaviour. Sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks can all be avoided. The growing culture of bring-your-own-device (BYOD) exposes more major concerns, especially with the risk of lost or stolen mobile devices. Again, technology is available to help companies control what happens to data stored on such devices, even allowing sensitive data to be remotely wiped so that it doesn't fall into the wrong hands.
Even the most trusted and highly skilled employees run major risks of human error. System and network administrators are commonly guilty of system misconfigurations, poor patch management practices and the use of default names and passwords. There are numerous security controls that organisations can explore to guard against these types of threats.
Attackers Know Exactly How to Exploit Human Curiosity
Cyber criminals are also targeting the human interest of employees, but the success of this technique is not fully down to end users making simple mistakes. Social engineering is a common technique used by attackers to lure targeted employees into making errors.
According to Verizon, 95% of advanced and targeted attacks involved spear-phishing scams, with emails containing malicious attachments that can cause malware to be downloaded onto the user’s device. This gives attackers a foothold into the organisation from which they can move laterally in search of valuable information, such as intellectual property.
Today, legitimate websites are increasingly being hacked, as they are just the sort of websites that users would routinely use with a second thought. But compromised websites are also being used in attacks that target the interests of specific users or groups. There has also been a particular increase in so-called watering hole attacks - so named because they mimic the tactics of animals lying and waiting for their prey at the watering holes they are likely to visit.
People, Processes and technology
As with the errors made purely by users themselves, such as inadvertently sending sensitive data out of the organisation, there are technologies available for organisations to help safeguard themselves against external factors that target individual users in the hope of causing them to make errors.
It's often said that any successful organisation must focus on people, processes and technology in an equal order. Technology provides automated safeguards and processes to determine the series of actions to be taken to achieve a particular end. But even businesses with good security practices are vulnerable to human error.
Often, there is insufficient attention paid to the “people" part of the organisation. To stem errors made through social engineering and to raise awareness of the potential caused by carelessness, technology and processes must be combined with employee education. This way, employees are aware of the threats they face and the part they are expected to play in guarding against them. Keeping organisations safe relies on constantly educating employees about identifying suspicious communications and new possible risks.