Study after study shows that the human in the machine increases cyber security risk. Research from Stanford University and Tessian confirm this, finding that 88% of data breaches are caused by employee mistakes. But, even without statistical evidence, organisations have anecdotal proof that the human factor is behind many data breaches and other security incidents. To de-risk data breaches, you need to de-risk employees and non-employees.
Here is a guide to the kind of risks that humans add to an organisation and some ideas of how to reduce human risk.
To Err is Human
Defining what ‘human error’ means is important in working out how to minimise the risk of a human-related security error.
Human error can be broadly categorised into two areas:
Mistakes and errors happen, and when they do, the threat to an organisation increases. A typical example of oversight is an employee accidentally sending an email with sensitive information to the wrong person, aka, mis-delivery of an email.
Another example of an oversight is the misconfiguration of a cloud component such as a database. Yet another, is thinking it is OK to share a password with a colleague. Oversights cover the general area of the mishandling of sensitive data by employees that can lead to non-compliance, fines and loss of customer trust.
Social engineering scams increase human risk in an organisation. Social engineering scams, such as phishing emails containing malicious attachments or links, can increase human risk in an organisation.
Another example of an employee being tricked by a malicious actor is Business Email Compromise (BEC), a scam whereby a cybercriminal tricks employees into paying fraudulent invoices. Whether an employee is deceived or unintentionally causes a mistake, the result can be catastrophic. The FBI’s internet crime unit, IC3, report on BEC crime, for example, found that losses due to BEC in 2020 amounted to $1.8 billion.
5 Human Hacks that can Help Minimise Human Risk
Human-related risk factors can be mitigated by applying five human hacks that reduce cyber security risk:
1) Break the Cycle of the Click
The user interface (UI) and the user experience (UX) are designed to make using a computer as easy as possible. The golden chalice is the ‘one-click’ experience and, wherever possible, UI designers work diligently to achieve this goal.
Unfortunately, this means that employees and other users end up not thinking before they click, as their UI/UX conditioning kicks in. MetaCompliance recently explored the issue of the automated click response in another post “Phishing Attacks: Why Don’t We Think Before We Click?”, in which we recommend the use of controlled phishing tests to change employees’ click behaviour.
2) Build a culture of security
Cyber-risk is everyone’s business. When building a cyber security culture, you should focus sharply on areas that increase risk in a business or a process, while being aware that there may be different or varying levels of risk depending on the department or even the employee. Cyber security culture-building exercises need to reflect the granular needs of a business, and by creating a culture of cyber security awareness, you can help to de-risk through knowledge.
3) Support better decisions
Many human errors that lead to increased cyber-risk are simply poor judgement. Human error covers a wide array of issues that lead to data exposure and other security incidents. Sometimes, it is simply a case of not having the information at hand to make a good decision. And sometimes, it is about putting structures in place, so that the wrong decision cannot be made. Security hygiene is a case in point.
Research from Yubico found that 69% of employees share passwords to make account access easier. To de-risk the human factor at work, teach staff about the importance of not sharing passwords, and back this up by enforcing the use of second factor authentication (2FA) to any apps that support 2FA.
4) Cyber-hygiene to de-risk human error
Teaching employees about cyber-hygiene adds weight to the security hygiene issues mentioned above. Cyber-hygiene covers a range of areas and includes a clean desk policy that is enforceable. Best practice cyber-hygiene will minimise online security risks and keep IT systems healthy. It will also help in compliance with security standards such as ISO27001.
The practice of cyber-hygiene extends from employees into a general attention to IT system healthcare; this includes using appropriate tools to monitor potential threats, ensuring that digital certificates are updated, that patches are swiftly deployed, and so on. Good practice cyber-hygiene involves ensuring that any human error in the configuration of systems or in business processes, is caught before being exploited.
5) Make people part of your layered approach to security
Employees are often the source of an increase in cyber-risk, but they are also where an organisation can de-risk the human factor. By ensuring that employees and non-employees are part of a layered approach to cyber-security, your company can ensure holistic de-risking of ‘people, processes, and technology’.
By engaging all staff in training, from the CEO to the most recently appointed, you cover all of the gaps where data can leak, or where security mishaps can occur.
Reducing Human-Born Risk
Employees are only human, and human beings make mistakes or can be socially engineered by cybercriminals. Knowledgeable and engaged employees can help to overcome the human risk in an organisation. A clear security strategy covering people, processes, and technology, will de-risk the human factor in any organisation. This strategy should employ security training programs to help build a culture of security that then enables your people to be your first line of defence against mistakes and manipulation.