With over 90% of all cyber security breaches coming as a result of human error, it's safe to say that mistakes in the workplace can be more than costly.
So, what mishaps are your end users making and what exactly are the repercussions to your organisation?
Many of these are successful security attacks from external attackers who are preying on human weakness, waiting patiently for employees to be lured into providing access to sensitive information. Their errors can be incredibly costly, especially since the insiders involved have access to a host of sensitive data.
One of the greatest impacts of a successful security breach is the exposure of this kind of information, loss of intellectual property and the infection of malware. A report by Vormetric found that 59% of respondents agree that most information technology security threats that directly result from insiders are the result of honest and simple mistakes, rather than the abuse of privileges.
What actually is human error?
Human error means actions that were unintended or accidental. It is the leading cause of data and security breaches. The most common types of breaches occur as a result of someone sending data to the wrong person. With cyber criminals on the rise, not enough business owners are paying attention to the avoidable consequences of human error.
Examples of human error in business
There are 3 types of human error that can occur in a business. Understanding the different types of human error and how they come about can help you and your employees to prevent them before data is compromised or deleted.
The 3 types of human error to watch out for are:
Skill based behaviour:
This example of human error is the behaviour based on learning skills. The employee will react to the error almost instantaneously performing an action that is related to a procedure and is well internalised.
Knowledge based behaviour:
This is behaviour that an individual will use when they are in the presence of a new situation they have never come across before, therefore not knowing the appropriate rules or procedures.
Rule based behaviour:
This type of behaviour is guided by rules which the employee has to perform a task they are familiar with. The individual will recognise the situation and apply the right procedures to perform the task.
The threat of human error (how we mess up)
One of the most common mistakes made by employees is sending sensitive documents to unintended recipients. This is relatively easy to solve when deploying security controls to monitor sensitive information being leaked out of the organisation. These controls were once considered complex to deploy, but have now been made considerably easier to implement by vendors in recent years. This has dramatically reduced the level of user involvement required and increased the use of such controls.
These tools can also prevent users from engaging in inappropriate behaviour. Sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks can all be avoided. The growing culture of bring-your-own-device (BYOD) exposes more major concerns, especially with the risk of lost or stolen mobile devices. Again, technology is available to help companies control what happens to data stored on such devices, even allowing sensitive data to be remotely wiped so that it doesn't fall into the wrong hands.
Even the most trusted and highly skilled employees run major risks of human error. System and network administrators are commonly guilty of system misconfigurations, poor patch management practices and the use of default names and passwords. There are numerous security controls that organisations can explore to guard against these types of threats.
What factors cause human error?
The company and the people you work with can impact your daily routine at work, whether its a positive working culture or negative, this can impact how you handle potential cyber threats.
The job role
There are various job roles in any business, depending on individuals and their roles can impact how they react to dealing with corporate data, and how they keep it safe.
Each individual is different, no employee in your business is the same, this can affect how they work, how they deal with potential threats and how they approach protecting your company's data.
Attackers know exactly how to exploit human curiosity
Cyber criminals are targeting the human interest of employees, but the success of this technique is not fully down to end users making simple mistakes. Social engineering is a common technique used by attackers to lure targeted employees into making errors.
According to Verizon, 95% of advanced and targeted attacks involved spear-phishing scams, with emails containing malicious attachments that can cause malware to be downloaded onto the user’s device. This gives attackers a foothold into the organisation from which they can move laterally in search of valuable information, such as intellectual property.
Today, legitimate websites are increasingly being hacked, as they are just the sort of websites that users would routinely use without a second thought. But compromised websites are also being used in attacks that target the interests of specific users or groups. There has also been a particular increase in so-called watering hole attacks - so named because they mimic the tactics of animals lying and waiting for their prey at the watering holes they are likely to visit.
People, processes and technology
As with the errors made purely by users themselves, such as inadvertently sending sensitive data out of the organisation, there are technologies available for organisations to help safeguard themselves against external factors that target individual users in the hope of causing them to make errors.
It's often said that any successful organisation must focus on people, processes and technology in an equal order. Technology provides automated safeguards and processes to determine the series of actions to be taken to achieve a particular end. But even businesses with good security practices are vulnerable to human error.
Often, there is insufficient attention paid to the “people" part of the organisation. To stem errors made through social engineering and to raise awareness of the potential caused by carelessness, technology and processes must be combined with employee awareness training. This way, employees are aware of the threats they face and the part they are expected to play in guarding against them. Keeping organisations safe relies on constantly educating employees about identifying suspicious communications and new possible risks.
Looking for a complete online security awareness training solution that won't bore your employees with long seminars or endless presentations? Try our bite-size, individually tailored SAT today.