Most data breaches have something in common. A rube. An unwitting accomplice to the malicious actors perpetrating an attack. They might have clicked a link in a harmless looking email, left a password lying around, or were duped into giving their login credentials over the phone. All too often, a seemingly benign behavior leads to multi-million dollar breaches and lawsuits on top of that. Humans are the weakest link in the cyber-security chain.
Human error is one of the leading causes of data breaches. And, it’s entirely preventable. But first, to prevent it, you need to know how to spot it. The 2017 Verizon Data Breach Investigations Report states that 81% of hack-related breaches leveraged either stolen and/or weak passwords. And that 43% of attacks were social engineering-based. Of those, 95% of phishing attacks that led to a breach were followed by a malware installation. While phishing attacks are a favorite tactic of hackers, they’re just the tip of the iceberg when it comes to human error.
So, what counts as human error? Of course, the aforementioned phishing attacks wherein a user is fooled into giving up information or clicking a link that downloads malicious software onto their system/network (i.e. ransomware) are prime examples. These attacks cast a wide net and count on the sheer numbers to produce a few results. But, spear-phishing targets individuals by using their identities and roles to craft a message designed to fool the target with specificity. Either way, it’s human error that makes the attack work.
“Let’s face it, if your password contains some form of the word “password,” you deserve to be hacked.”
Another leading human error is sharing documents over insecure channels like emailing from a home network, transferring files over an insecure file-sharing site or losing USB drives with sensitive information. And now, with many organizations moving to a Bring Your Own Device (BYOD) model, lost and stolen phones storing business data are becoming a real problem.
It’s also important to know who in your organization is most likely to cause an error that would lead to a breach. While anyone is susceptible to human error, it is those with the most access or important roles that can create the largest breaches. Network/system administrators, accountants, and C-level employees are high value targets for social engineering attempts and often have access to the most sensitive information/systems.
For example, administrators may fall behind in patching networks and systems with the latest security updates. Patching regularly is important to keep systems protected from newly discovered threats and exploits that may have been in place before the software/hardware was even released. This counts as human error because it could be avoided by simply managing infrastructure as it should be.
Weak passwords and password management are likely to result in human error-breaches as well. You know how Hillary’s server probably got “hacked?” Someone guessed at the credentials until they got in. Let’s face it, if your password contains some form of the word “password,” you deserve to be hacked. Or if it contains a name or date of easily accessible information like significant other, pet, anniversary, birthday—there’s a solid chance that that info is out on Facebook or another social network and anyone with a modicum of sleuthing ability can guess at.
“It’s also important to know who in your organization is most likely to cause an error that would lead to a breach.”
Everyone makes mistakes, but it is for certain that humans are the weakest link in the cyber security chain. Don’t despair, though. There is help, and proof in the form of subsequent years of breach studies that show people are getting more clued into security best practices. Ultimately, the best defense against human error is an educated workforce.
Proper security awareness training is a must for today’s businesses. Whether lead by an internal resource like a Chief Information Security Officer (CISO) or a third-party security expert, organizations need to inform their employees of their security policies, procedures, and industry best practices. And on top of that, employers need to maintain stringent security controls like VPNs, mandatory password changes, multifactor authentication, role based access, and mobile management systems (for BYOD environments). These factors contribute to lessening the impact of human error when it happens.
It’s important to train and test employees at least annually. Of course, if you don’t know how or where to start, Atomic Data has your back. We now have several offerings that focus on educating our clients. Starting with Security Awareness Consulting, our certified security experts will analyze your current security policies and training. They’ll then assist you with writing and updating anything that needs changing and help your users better recognize social engineering tactics, best password management policies, mobile and email policies, and more.
We’re also really excited to start offering Phishing Simulation & Education. All clients utilizing our Atomic Mail Filter service will now receive pre-made faux-phishing emails from Atomic Data resources. These will be as-real-as-can-be phishing emails that, when clicked on, will not infect your computer with malware but will trigger a follow-up email detailing what happened and directing you to training resources to learn more about identifying phishing attacks. This is a really cool way to sharpen your users’ security knowledge in a safe environment. So, if you’re looking to cut down on your organization’s instances of human error and thus, the possibility of a serious data breach, give us a call today. We’ll help get you on the right security awareness path, and stay there.