When your business is running like a well-oiled machine, it’s hard to believe that your employees or coworkers might be jeopardizing data security. Many business leaders are focused on outside attacks from ransomware and malware, but they forget the element of human error that makes it possible for hackers or other malicious actors to get into private systems in the first place. Think of it this way: If a burglar wants to get into your home, there are many ways they can do it — so why make things easier by leaving a key under the mat?
Data breaches caused by human error happen when an employee is careless, lax in upholding security policies or if they actively make a mistake. Many business leaders mistakenly believe that an incident caused by human error isn’t as bad as one caused by an outside agent. It’s easy to think that just because there wasn’t an intent to reveal the data and misuse it, the incident isn’t a big deal. However, under the General Data Protection Regulation (GDPR) and other data regulations, all data breaches are created equal regardless of their origin.
IBM’s X-Force Threat Intelligence Index for 2018 reveals some disturbing data breach trends related to human error. Perhaps the most striking is that two-thirds of all the records compromised in 2017 were made vulnerable by the negligent actions of unwitting employees. The total number of compromised records neared three billion. With the average cost of a data breach sitting at $3.86 million per incident, reducing the element of human error in data security can save your business from heavy fines and a whole lot of regulatory headache.
Table of Contents
- Types of Human Error in Data Security
- How Do I Prevent Human Error?
- How Do I Prepare for a Breach Caused by Human Error?
Types of Human Error in Data Security
Reducing holes in your security starts with understanding why human error impacts data security and the types of human error that lead to compromised information. These five causes of data breaches are some of the most dangerous and costly to watch out for when considering your company’s data security.
1. Going Phishing
Despite being one of the oldest cybersecurity threats on the planet, phishing still presents a significant issue for businesses. According to Verizon’s 2018 Data Breach Report, only four percent of people actually click on a link in a traditional phishing email. The problem is that phishing has evolved to encompass more than just suspicious links in a message. A new form of phishing is known as “pretexting,” and it involves someone presenting themselves as someone else with the intention of obtaining private information.
One of the most elaborate pretexting schemes ever concocted took place from 2013 to 2015, and its perpetrator only pleaded guilty to the crime in 2019. Evaldas Rimasauskas, a Lithuanian national, successfully wrung more than $100 million out of Google and Facebook using fake invoices. In addition to invoice forgery, he sowed confusion with fake contracts, corporate stamps and letters.
From the employees’ point of view, everything Rimasauskas sent looked legitimate enough to sign off on. Somewhere down the line, one or more employees bypassed policies and procedures around releasing payments — likely to save some time. This type of human error is most likely in larger companies where more people have more hands on a greater number of tasks.
Rimasauskas was out for cash with his scheme, but it’s easy to envision someone posing as a client or patient to trick employees into turning over information.
2. Bring Your Own Device
These days, the line between work and personal time can easily get blurry. It’s rare for a business to provide a dedicated smartphone for work, leading many companies to adopt bring your own device (BYOD) policies. The reality is that at some point, most people blend personal and work activity on their phones — whether it’s just to write a quick email or something more serious such as remotely accessing company files. That means your company’s data is mixing with employees’ photos, apps and other personal information on a daily basis.
Without a strong device management policy in place, company data is at the mercy of an employee’s security habits. If they use a virtual private network (VPN), for example, odds are they have some grasp of mobile security best practices. On the other hand, some employees may do things like ignore operating system updates and download questionable apps to help fill their free time. If an employee accidentally downloads malware, it can compromise everything on the device, including any sensitive company data.
3. Lax Password Practices
Employees now have more accounts than ever before, but that doesn’t necessarily mean they have more passwords.
It’s not hard to understand why employees would want to reuse passwords, or pick weak passwords that are easy to hack. No one wants to try and remember 14 different passwords that each have a strong combination of length, variety and randomness — but that’s what password managers are for. Employees who reuse passwords may not understand just how dangerous this practice is. They are essentially setting up dominoes for a potential hacker. Once one account is compromised, the first thing a hacker will do is try that password everywhere else.
The Verizon Data Breach Report says that 81 percent of hacking breaches were related to weak or stolen passwords. This is one of the most preventable data breach causes.
4. Lack of Software Updates
Many employees fail to understand how important it is to keep every bit of software they use up to date. It’s tempting to click “Remind Me Later” when you have upwards of 20 tabs open and are deep in the middle of a project, but hitting the snooze button one too many times can create critical vulnerabilities that hackers know how to exploit.
Up-to-date software is a problem on an organization-wide scale as well. The notorious WannaCry attack of 2017 infected thousands of computers across the globe with malware. The attack crippled Britain’s National Health Service (NHS) as well as the prominent Spanish telecom Telefonica. One of the most astonishing factors in this breach was the use of computers running Windows XP. In 2016, 90 percent of NHS trusts were still using Windows XP despite the fact that Windows dropped support of that operating system in 2014.
Even worse, Microsoft had released retroactive patches for Windows XP in March of 2017 that could prevent WannaCry from infecting the patched computers. The attack exploited machines without the patch, severely highlighting the importance of installing every available update.
5. Unauthorized Access
A lot can go wrong when people have too much access to and control over company data. Take this scenario for example. Say your company finally gets interest from a huge prospective client, and it’s crunch time for coming up with a good proposal. After a herculean effort to get designers, writers, account managers and more on the same collaborative Google Doc, the proposal is finished and downloaded. You find out that you need to share the document with one more stakeholder, but instead of sharing the link you accidentally make the document public and forget about it.
With the document now available to anyone who has the skill to dig it up, a competing firm finds it with a quick and easy Google Docs search. All they had to do was search the “client name + proposal”, and all your hard work can now be leveraged against your company.
This is just one example of security breaches caused by employees, in which one person with access privileges accidentally makes data accessible to inappropriate parties.
How Do I Prevent Human Error?
It’s a simple fact that humans make mistakes, but that doesn’t mean you should give up on preventative measures for data protection. These five tips can help your organization minimize the risk of the types of human error:
- Offer Data Security Training: Every employee needs to understand the policies and procedures that relate to data security. Too often, companies give out stacks of policies for employees to sign that never get read. It’s essential to go into detail about how and why each policy is a crucial element of your cybersecurity ecosystem.
- Manage Mobile Devices: If employees are going to access confidential data from their phones, it’s critical to implement a device management service. Your organization needs to be able to remotely lock and wipe devices of company data in the event that they are lost or stolen.
- Mandate Password Managers: In addition to having passwords as a component of your cybersecurity training, require that employees use a password manager. If they know they have to use one anyway, they are more likely to create stronger passwords that are less susceptible to hacking.
- Mandate Software Updates: Make software updates a core part of your security policies. When a patch or update becomes available, send out a company-wide alert to remind employees. If possible, implement a system that allows you to check whether updates have been installed as directed.
- Employ Least Privilege: It may feel like things move faster when more people can access and modify data, but it creates a huge security risk. Ensure everyone in your organization only has access to the data they need to do their job. Log systems can show you who accessed or modified data and when.
Above all, preventing data breaches caused by human error is about instilling awareness in every employee. Many employees underestimate the importance of data security, and they don’t fully understand the repercussions of even the tiniest breach. Creating a culture with cybersecurity at the forefront can be challenging, and an engaging training program is a smart first step.
How Do I Prepare for a Breach Caused by Human Error?
Doing what you can to reduce the possibility of human error is necessary, but preparing for a security threat is equally critical. Adequately preparing for a data security incident can reduce your chances of being among the 60 percent of small and medium-sized businesses that close within six months of a breach. Here is what you can do:
- Find First Responders: The worst thing that can happen in the event of a data breach is chaos erupting because no one is sure who is in charge. Gather a team of IT, sales, legal and customer support along with appropriate executives to act as the first responders to a breach.
- Plan Communications: Your organization should have a letter prepared to go out the moment you discover a data breach. You should have versions for affected individuals and the media, as well as a version tailored for internal circulation.
- Start Logging Files: If you’re not already using a log management system, you’re depriving yourself of a key data security tool. With logs, you can pinpoint the source of the attack and the vulnerability that enabled it, so you can take steps to prevent it from happening again.
- Develop and Test a Plan: Forewarned is forearmed. Consider consulting with a cybersecurity expert to determine the best ways to find, contain and eliminate security threats. Repeat testing can help uncover weak points in your security systems and practices.
- Stay on the Defensive: These days, cyber attacks are a fact of life for almost all organizations. Data security requires a proactive approach and the assumption that your data is being targeted at any moment.
Keeping compliance in mind will also go a long way in preparing your business for a data breach, even if it was caused by human error rather than an outright attack. If your organization serves anyone in Europe, you’ll need to take the GDPR into account when planning for a breach. Its strict rules require that you inform affected parties of a data breach within 72 hours of discovering it, which will greatly impact the scope and timeline of your response plan.
The California Consumer Privacy Act (CCPA) is a similarly strict regulation that will go into effect in 2020, yet as of early 2019, only 21 percent would be compliant with the upcoming new law. A combination of compliance focus with a proactive approach is the best way to prepare for a data breach.
Defend Your Data With BlackStratus
Data security is becoming more complex and evolving at an astonishing rate. While hackers find new ways to capitalize on human error in cybersecurity, BlackStratus works to stop them. Our LOGStorm™ application is just one of the cutting-edge solutions we offer to prevent and respond to security incidents in organizations of any size and industry.
LOGStorm offers you unprecedented control with real-time visibility into your security, incident event data storage, prioritized threat identification and more. It even uses behavior-based analysis to spot new attacks before they bypass countermeasures. Best of all, LOGStorm is offered in a range of flexible pricing plans so any business can get affordable access to enterprise-level security features.
If you’re interested in reducing human error and making cybersecurity a focus, contact us for more information. If you’d like to see our applications in action, we’re happy to provide a live demo that will show you how our security and compliance management systems can take your data protection to the next level.
- 7 Types of Cyber Attacks Small to Medium-Sized Businesses Face
- 8 Common Security Mistakes and How to Avoid Them
- Importance of Cybersecurity Awareness Training for Your Employees
- 10 Mistakes Businesses Make Before and After a Data Breach