“Cyber attacks are like natural disasters. There’s no way to prevent a hurricane from hitting your city, but you can certainly prepare for it.”
The cyber security measures you have in place for your business should include regular security assessments to identify internal and external security threats. If neglected, the impact of data loss or corruption from hardware failure, human error, natural disasters, cyber crime, and infected software could have a significant financial impact on your business.
In this article, we will talk about the most common reason of them all… human error.
In a compelling article by usecure, they write, “There’s not a single person alive who never makes mistakes. In fact, making mistakes is a core part of the human experience – it is how we grow and learn. Yet, in cyber security, human mistakes can literally cost you your business.
According to a study by IBM, human error is the main cause of 90 – 95% of cyber security breaches. In other words, if human error was somehow eliminated entirely, 19 out of 20 cyber breaches may not have taken place at all!
What is human error in computer security?
In a security context, human error means unintentional actions – or lack of action – by employees and users that cause, spread, or allow a security breach to take place.”
In an article by Venafi, they added, “Despite an overall increase in security investment over the past decade, organizations are still plagued by breaches. What’s more, we’re learning that many of the attacks that result in breaches misuse encryption in some way.
Sadly, it’s often human error that allows attackers access to encrypted channels and sensitive information. Sure, an attacker can leverage “gifts” such as zero-day vulnerabilities to break into a system, but in most cases, their success involves provoking or capitalizing on human error.
If organizations are not monitoring the use of all the keys and certificates that are used in encryption, then attackers can use rogue or stolen keys to create illegitimate encrypted tunnels. Organizations will not be able to detect these malicious tunnels because they appear to be the same as other legitimate tunnels into and out of the organization.”
Human error can compromise your business’ security in an almost endless number of different ways, but some types of error stand out in frequency above all others. Let’s take a look at some of these highly common errors.
According to an article by Cyber Security Magazine, they write, “A few common human errors are:
- Using weak passwords or storing passwords in unreliable places: plain text, Google sheets or even on sticky notes on the office desk or around the house.
- Improper handling of sensitive data: accidentally deleting sensitive files, often without knowing they’re important, sending sensitive data to the wrong recipients, not backing up important data.
- Using outdated (or unauthorized) software, ignoring software updates, downloading compromised software.
- Opening suspicious email links or attachments.
- Using public Wi-Fi without using a VPN. [Yes, even smartphones and tablets need this protection]
- Plugging in insecure devices, like unknown USB storage devices.
- Using unencrypted IoT devices.
Human Error in Cybersecurity – Common Social Engineering Strategies
When it comes to malicious actors trying to deliberately make you slip, you must know that one of their favorite practices is social engineering. Attackers gather information about their targets, plan their attack, acquire tools, attack and then use the acquired information to continue with their malicious purposes.
The most common types of social engineering attacks that you should be aware of are:
- Fake applications or messages that contain infected attachments– once opened, malware gets into the victim’s device.
- Phishing – emails or messages sent through other channels that seem to be from an entity the targets trust, like: a bank, Google, Facebook etc., in which attackers ask them for sensitive information or to enter login details.
- CEO fraud– in this case, cybercriminals pretend to be their target’s boss or some other authority figure and ask them to share access to sensitive information.”
RELATED: Additional Social Engineering Strategies – a term used for a broad range of malicious activities accomplished through human interactions.
How to defend against social engineering attacks
According to an article by ITGovernance, they write, “Mitigating the threat of social engineering is a critical component of all cyber security programmes.
It requires a multi-layered approach that combines staff training with technological defences, so that your employees can recognise and report social engineering attacks, and if any attacks are successful, they do as little damage as possible.
There are four essentials that your social engineering defences should cover:
1. A positive security culture
If you or your staff fall victim to a social engineering attack, your security team will need to act quickly to contain it. Your corporate culture must therefore encourage victims to report incidents as soon as possible.
The last thing you want is a malware infection that dwells on your system for months because the person who inadvertently caused it kept quiet for fear of getting into trouble.
2. Train your staff to learn the psychological triggers and other giveaways
Social engineering attacks are not always easy to detect, so it is important to understand the tactics they use, such as:
- Masquerading as trusted entities, like familiar brands or people;
- Creating a false sense of urgency to confuse victims, often by provoking them into a state of fear or excitement so they act quickly without thinking properly; and
- Taking advantage of people’s natural curiosity, sense of indebtedness or conditioned responses to authority.
You should train your staff to:
- Be suspicious of unsolicited communications and unknown people;
- Check whether emails genuinely come from their stated recipient (double-check senders’ names and look out for giveaways such as spelling errors and other illiteracies);
- Avoid opening suspicious email attachments;
- Think before providing sensitive information;
- Check websites’ security before submitting information, even if they seem legitimate (a lock icon should appear in the search bar at the beginning of the web address.)
- Pay attention to URLs, and ‘typosquatting’ (sites that look genuine but whose web addresses are subtly different from the legitimate site they imitate).
3. Test the effectiveness of the training
Training your staff should not be a one-off event. You should regularly test the effectiveness of the training and redeploy it as necessary.
For example, a simulated phishing attack – in which your staff are targeted by controlled phishing attempts – will show you how susceptible they are and how much your organisation is therefore at risk. With this information, you can retrain those who need it most, reducing your exposure.
4. Implement technological cyber security measures
As well as training and testing your staff, you should, of course, implement technological cyber security measures – including firewalls, antivirus and anti-malware, patch management, penetration testing, and access management policies.
This will help limit the number of attacks reaching your staff and minimise the damage from any successful attacks.
Human Error in Cybersecurity – Prevention
In an article by CyberSecurity Mag, they write, “What can you do to prevent human error and make sure that you keep both your personal data/devices and business data/endpoints safe?
Know your enemy. Make sure you have some basic cybersecurity knowledge, so you are aware of the dangers out there and you always follow basic safety rules. Examples: Be careful what you plug into your computer; never leave your laptop or phone unlocked; listen to your intuition. If something sounds too good to be true – or too urgent – don’t provide the confidential information you’re asked for.
Take care of the passwords you use. Don’t use simple passwords, don’t reuse them, don’t leave them in plain sight, and make sure you change them at irregular periods of time.
If the company you work for does not already use cybersecurity software solutions, tell them about the importance of using an antivirus, a privileged access management tool and an email security solution. Privileged access management tools guarantee that everyone gets access only to what he or she needs to perform their daily tasks and nothing more.
In many cases, cybercriminals rely on human error and human weakness to fulfil their malicious ends. Make sure you are aware of the cyber threats you may face and so that you always proceed with caution when it comes to the use of the Internet, your devices, and the data you handle.”
***At Adaptive Office Solutions, we also recommend Keeper for your passwords, and installing a malware protection program on all of your devices. Also, be sure to use a VPN on every device you use (yes, including smartphones and tablets), and be sure to check that the VPN is connected EVERY time you use your devices.
Additional Preventative Measures
According to an article by usecure, they write, “Human error can only occur where there is opportunity to do so, as such, it is essential to eliminate opportunities for error as much as possible. Employees will continue making mistakes if they don’t know what the correct actions and risks are. To bridge this gap, it is essential to approach human error from both sides to create a comprehensive defence for your organisation.
Reduce the opportunities
Changing your work practices, routines and technologies to systematically reduce the opportunity for error is the best way to start your mitigation efforts. While the way in which you achieve this will depend on the specific activities and environments of your business, there are some common guidelines to mitigating human error opportunities:
Privilege control: Ensure that your users only have access to the data and functionality that they need to perform their roles. This reduces the amount of information that will be exposed even if the user commits an error that leads to a breach.
Password management: Password-related mistakes are a main human error risk, distancing your users from passwords can help reduce risks. Password manager applications [like Keeper], allow your users to create and store strong passwords without having to remember them or risk writing them down on post-it notes. You should also mandate the use of two-factor authentication across your business to add an extra layer of protection to your accounts.
Change your culture
A security-focused culture is key in reducing human error. In a security culture, security is taken into consideration with every decision and action, and employees will actively look out for and discuss security issues as they encounter them.
There are a number of things you can do to help build a security-minded culture in your organisation:
Encourage discussion. One of the best ways to ensure that security stays at the forefront is to get people talking about it. Bring up discussion topics around security – and ensure that they are relevant to your employees day-to-day work activities – so they are more likely to get engaged. This will help them see what they can each do personally to help keep up the security of your organisation.
Make it easy to ask questions. As part of the learning process, your employees will probably stumble into many situations where they are unsure of the security implications. In these situations, you would rather them ask you, or someone else with knowledge, rather than make a guess and risk making the wrong choice by themselves. Ensure that someone is always available to answer any questions from employees in a friendly manner, and reward users who bring up good questions.
Use posters and reminders. Security posters and tips serve as little reminders to help ensure that your employees are thinking of security throughout their work day. A poster with information about strong passwords will, for example, allow users to easily see what the requirements are for keeping company accounts safe.
Address lack of knowledge with training
While reducing the opportunities for error is essential, you must also approach the causes of error from a human angle. Educating your employees on security basics and best practices allows them to make better decisions, and enables them to keep security on their mind and seek further guidance when they’re not sure what the consequences of a certain action are.
Train employees on all core security topics: As human error can manifest in a huge variety of different ways, it is essential that you train employees about security topics that they may encounter in their day-to-day work activities. Use of email, internet and social media, as well as phishing and malware training are just some of the topics that training should cover.
Training has to be engaging and relevant: Your employees have limited attention spans, and you need to ensure that their training isn’t going to make them fall asleep. Interactive training courses that use image and video content are far more effective than hour-long PowerPoint sessions. Training should also not come in yearly sessions, which your employees will forget a week later, but recur regularly throughout their work life in a brief and easily digestible format.
Humans don’t have to be the weakest link
We started this article off with a frightening statistic about how many breaches are caused by human error – but there is another way we could look at that statistic. If 95% of breaches are caused by human error, taking even the smallest steps towards reducing human error can create huge gains in security.
The mitigation of human error has to come from two angles: reducing opportunity, and educating users. The less opportunities there are for error the less your users will be tested for their knowledge – and the more knowledge your users have, the less likely they are to make a mistake even when they come across an opportunity to do so.
While untrained employees may be the weakest link in the security of your organisation, the right tools and training allow you to empower them into being your first line of defence against any attack or breach, safeguarding your business in the long term.”