There’s not a single person alive who never makes mistakes. In fact, making mistakes is a core part of the human experience - it is how we grow and learn. Yet in cyber security, human mistakes are far too often overlooked.
According to a study by IBM, human error is the main cause of 95% of cyber security breaches. In other words, if human error was somehow eliminated entirely, 19 out of 20 cyber breaches may not have taken place at all!
So, why does human error cause so many breaches, and why have existing solutions failed to address it? Let’s take a look at the story behind human error - and what you can do to improve employee cyber behaviour in your organisation.
What is human error in computer security?
When discussing human error in cyber security, what is meant by the term is slightly different from its use in more general terms.
In a security context, human error means unintentional actions - or lack of action - by employees and users that cause, spread or allow a security breach to take place.
This encompasses a vast range of actions - from downloading a malware-infected attachment to failing to use a strong password - which is part of the reason why it can be so difficult to address.
With our ever more advanced and complicated work environments, we have an increasing number of tools and services that we use - and we have usernames and passwords and other things to remember for each of them. This all adds up, and when not provided alternative, secure solutions, employees start taking shortcuts to make life easier for themselves.
As if this wasn’t enough for end-users to struggle to make the right actions, they also have to deal with the constant threat of cyber criminals affecting their decision-making. Social engineering has an increasing role in all types of security breaches, and is used to exploit the capability of employees to hand over data or credentials right into the hands of bad actors without them having to write a single line of a malware program or software exploit.
Types of human error
While the opportunities for human error are almost infinite, they can broadly be categorised into two different types: skill-based and decision-based errors. The difference between these two essentially comes down to whether or not the person had the required knowledge to perform the correct action.
Skill-based human error consists of slips and lapses: small mistakes that occur when performing familiar tasks and activities. In these scenarios, the end-user knows what the correct course of action is, but fails to do so due to a temporary lapse, mistake or negligence. These might happen because the employee is tired, not paying attention, is distracted, or otherwise has a brief lapse of memory.
Decision-based errors are when a user makes a faulty decision. There can be a number of different factors that play into this: often it includes the user not having the necessary level of knowledge, not having enough information about the specific circumstance, or not even realising that they are making a decision through their inaction.
Learn how usecure helps businesses drive secure behaviour with intelligently-automated cyber security awareness training.
Examples of human error in businessHuman error can compromise your business’ security in an almost endless number of different ways, but some types of error stand out in frequency above all others. Let’s take a look at some of these highly common errors.
Misdelivery - sending something to a wrong recipient - is a common threat to corporate data security. According to Verizon’s 2018 breach report, misdelivery was the fifth most common cause of all cyber security breaches. With many people relying on features such as auto-suggest in their email clients, it is easy for any user to accidentally send confidential information to the wrong person if they aren’t careful.
One of the most serious data breaches caused by human error was when an NHS practice revealed the email addresses (and thus names) of over 800 patients who had visited HIV clinics. How did the error happen? The employee sending out an email notification to HIV patients accidentally entered their email addresses to the “to” field, rather than the “bcc” field, exposing their details to each other. This is a classic example of a skill-based error, as the employee knew the correct course of action, but simply didn’t take enough care to ensure that they were doing what they intended to.
Humans and passwords simply don’t get along. The facts from the National Centre for Cyber Security’s 2019 report cast a dire image: 123456 remains the most popular password in the world, and 45% of people reuse the password of their main email account on other services. In addition to not creating strong, unique passwords, untrained users commit many other password mistakes including writing down passwords on post-it notes on their monitors or sharing them with colleagues.
Cyber criminals are constantly looking for new exploits in software. When exploits are discovered, the software developers race to fix the vulnerability and send out the patch to all users before cyber criminals can compromise more users. This is why it is essential that users install security updates on their computers as soon as they are available. Unfortunately, more often than not end-users delay installation of updates - and with dire results.
The 2017 WannaCry ransomware attack affected hundreds of thousands of computers worldwide, costing companies and organisations millions of dollars in damages. Yet the exploit used by the attack, dubbed ‘EternalBlue’, was patched by Microsoft months before the attacks took place. If the affected computers had just had the security update downloaded and installed, they would never have been compromised.
Physical security errors
While data breaches are most often attributed to cyber attacks, businesses are also liable to physical threats. Confidential information and credentials can be stolen or viewed by unauthorised persons if they gain access to secure premises.
Physical security errors come in many different forms, but one of the most common is leaving sensitive documents unattended on desks, meeting rooms or even printer output trays. Anyone who gains access to the business premises can then just pick up the document without anyone even noticing that it’s gone missing.
Another highly common physical security error is the allowing of tailgating. Tailgating is when an unauthorised person follows someone through a secure door or barrier - usually by simply walking close behind them. Many employees will feel it rude to contest anyone following behind them through a door, ensuring a high success rate on tailgating attempts.
What factors cause human error?
There are a large variety of factors that play into human error, but most of them boil down to these three: opportunity, environment, and lack of awareness.
Human error can only occur where there is opportunity for it to do so. That may seem obvious, but the point is that the more opportunities there are for something to go wrong, the higher the chance that a mistake will be made at some point.
There are many environmental factors that can make errors more likely to occur.
The physical environment of a workplace can significantly contribute to the number of errors that occur. While any construction site worker will be able to tell you that errors are more common on boiling hot or freezing cold days - these considerations also apply to offices. While having the right office temperature is an important consideration, privacy, noise-level and posture are all things that can contribute to a more mistake-prone environment.
Culture also plays an important role in environmental considerations. Often end-users will know the right course of action, but fail to carry it out because there is an easier way to do things or they simply don’t think it is important. Having a culture where security is always pushed to the background will lead to errors becoming more and more commonplace.
Lack of awareness
Much of human error results from end-users simply not knowing what the right course of action is in the first place. For example, users that aren’t aware of the risk of phishing are far more likely to fall for phishing attempts, and someone not knowing the risks of public Wi-Fi networks will quickly have their credentials harvested. A lack of knowledge is almost never the fault of the user - but should be addressed by the organisation in order to ensure their end-users have the knowledge and skills they require to keep themselves and the business secure.
How to prevent human error in your business?
Human error can only occur where there is opportunity to do so, and as such it is essential to eliminate opportunities for error as much as possible. At the same time, end-users will continue making mistakes if they don’t know what the correct actions is and what the risks are. To breach this gap, it is essential to approach human error from both sides to create a comprehensive defence for your organisation.
Reduce the opportunities
Changing your work practices, routines and technologies to systematically reduce the opportunity for error is the best way to start your mitigation efforts. While the way in which you achieve this will depend on the specific activities and environments of your business, there are some common guidelines to mitigating human error opportunities.
Privilege control: ensure that your users only have access to the data and functionality that they need to perform their roles. This reduces the amount of information that will be exposed even if the user commits an error that leads to a breach.
Password management: as password-related mistakes are a main human error risk, distancing your users from passwords can help reduce risks. Password manager applications allow your users to create and store strong passwords without having to remember them or risk writing them down on post-it notes. You should also mandate the use of two-factor authentication across your business to add an extra layer of protection to your accounts.
Change your culture
A security-focused culture is key in reducing human error. In a security culture, security is taken into consideration with every decision and action, and end-users will actively look out for and discuss security issues as they encounter them.
There are a number of things you can do to help build a security-minded culture in your organisation.
Encourage discussion. One of the best ways to ensure that security stays at the forefront is to get people talking about it. Bring up discussion topics around security - and ensure that they are relevant to your end-users’ day-to-day work activities so they are more likely to get engaged. This will help them see what they can each do personally to help keep up the security of your organisation.
Make it easy to ask questions. As part of the learning process, your end-users will probably stumble into many situations where they are unsure of the security implications. In these situations, you would rather them ask you or someone else with knowledge rather than make a guess and risk making the wrong choice by themselves. Ensure that someone is always available to answer any questions from end-users in a friendly manner, and reward users who bring up good questions.
Use posters and reminders. Security posters and tips serve as little reminders to help ensure that your end-users are thinking of security throughout their work day. A poster with information about strong passwords will, for example, allow users to easily see what the requirements are for keeping company accounts safe.
Address lack of knowledge with training
While reducing the opportunities for error is essential, you must also approach the causes of error from a human angle. Educating your employees on security basics and best practices allows them to make better decisions, and enables them to keep security on their mind and seek further guidance when they’re not sure what the consequences of a certain action are.
Train employees on all core security topics: as human error can manifest in a huge variety of different ways, it is essential that you train employees to a basic level on any security topics that they may encounter in their day-to-day work activities. Use of email, internet and social media, as well as phishing and malware training are just some of the topics that training should cover.
Training has to be engaging and relevant: your employees have limited attention spans, and you need to ensure that their training isn’t just going to make them fall asleep. Interactive training courses that use image and video content are far more effective than hour-long PowerPoint sessions. Training should also not come in yearly sessions which your employees will forget a week later, but recur regularly throughout their work life in a brief and easily digestible format.
Humans don’t have to be the weakest link
We started this article off with a frightening statistic about how many breaches are caused by human error - but there is another way we could look at that statistic. If 95% of breaches are caused by human error, taking even the smallest steps towards reducing human error can create huge gains in security.
The mitigation of human error has to come from two angles: reducing opportunity, and educating users. The less opportunities there are for error the less your users will be tested for their knowledge - and the more knowledge your users have, the less likely they are to make a mistake even when they come across an opportunity to do so.
The approach we at usecure promote encourages you to see your human risk from a different light. While untrained end-users may be the weakest link the security of your organisation, the right tools and training allows you to empower them into your first line of defence against any attack or breach, safeguarding your business in the long term.
To learn more about our intelligently-automated, user-focused security awareness training programmes, click the link below.
Learn how usecure helps businesses drive secure behaviour with intelligently-automated cyber security awareness training.
(Previous version of the article written by Emma Woods in April 2019.)