90% of Security Breaches Are Due to Human Error
A data breach can be disastrous for a business. In nine cases out of ten, human error is a significant contributing factor. A CybSafe study found that 90 percent of breaches in the UK in 2019 were caused by user error. Closer to home for our customers in the Atlanta and Charlotte areas, a study from Stanford University attributed 88% of breaches to employee mistakes. In 2018 the City of Atlanta suffered a major ransomware attack, with weak passwords as a key enabling factor.
The cost of a cybersecurity breach runs very high. The average cost in 2019 was $3.92 million. The cost will vary with the size of the business and the value of its data, but it’s often enough to destroy an organization. The costs include loss of time, need to bring in special assistance, recovery of affected systems, compensation to affected parties, and loss of reputation. In most cases, greater care to avoid errors and reduce their consequences can avoid such a disaster.
Why employees get careless
Businesses often don’t have adequate security policies or don’t communicate them clearly. Even when they make the effort, employees don’t always follow them. Several factors contribute to this:
- Lack of understanding. The explanations may be too vague or too technical. The only explanation might have been a one-time lecture which the employees quickly forgot. Cybersecurity awareness requires an ongoing effort.
- Conflicting work demands. Employees who feel rushed often cut corners to get the job done. They neglect security practices because the extra steps would slow them down. Some requirements may be so unrealistic that they undermine concern for the policies.
- Lack of understanding for the need. If employees don’t understand the need for a security practice, they’re likely to ignore it some or all of the time. They need a clear understanding of what carelessness can lead to.
Kinds of errors that lead to breaches
Many types of mistakes can expose data to unauthorized parties. Most of them fall into a few categories.
- Accepting phishing messages as legitimate. This is by far the most common error that leads to a breach. The criminals who devise these messages go to great lengths to make them look real. They often target specific businesses or individuals. Once the perpetrators get access to accounts, they can access confidential information directly or plant malware.
- Leveraging social information. People post far too much information about themselves on social media, including their job details, family history, names of co-workers and relatives, and the financial institutions they use. Impersonators can use the information to claim “lost” passwords, make phishing messages more plausible, and impersonate victims in messages to others.
- Weak passwords. The most commonly used passwords include “123456,” “123456789,” and “password.” It doesn’t take great hacking skills to guess them and get access to accounts.
- Poor password management. A strong password with poor protection is just as risky. Mistakes include leaving the password written down and visible, using the same one for multiple accounts, using an insecure password manager or giving it a weak master password, and sharing passwords carelessly.
- Careless data handling. Some of the worst data breaches have resulted from the theft of laptops containing unencrypted data. Other mistakes include plugging in unverified USB sticks, putting sensitive data on unprotected personal devices, and sending email to the wrong recipient. Sending sensitive data by email is generally a bad idea unless it’s encrypted from end to end.
- Using unauthorized software. Employees often install software on their computers to get tasks done. If they make poor choices, this can open security holes that intruders can exploit. Downloading legitimate software from a questionable website can mean getting an infected version of the code.
Promoting awareness of errors
If an error is caught quickly enough, it’s often possible to correct it or reduce its damage. This will happen only if employees aren’t afraid to report their mistakes. If they think it will hurt their job standing, they’ll keep quiet.
Studies have found that young employees are more likely to admit to their errors. Perhaps they’re more confident they can get another job if necessary. At the same time, they are more likely to be tricked by phishing messages. This runs contrary to the stereotype of older people being duped by scammers, but experience in life counts for something.
Regardless, employees should feel safe in reporting their errors, even (or especially) when they could cause security problems. They’re likely not the only ones who made those errors, and managers can act on them only if they know about them. The focus should be on avoiding the error in the future and fixing any problems it caused.
Training and reminders are the best way to prevent mistakes. If employees make them anyway, it will help them to realize there’s a problem and take quick steps to remedy it, such as changing passwords.
IT practices to reduce harm
A security-aware IT department can reduce the chances that an error will cause serious security problems. Whether the support comes from an in-house team or a managed services provider, it can improve network setups to reduce the risk.
Software should be configured to minimize its vulnerability. The principle of least privilege reduces the damage from gaining access to a normal user account. People should be able to take only the actions which they need to do their jobs. Someone who gets access to such an account can do only limited harm.
Wherever possible, software should be set up to require strong passwords. Easily guessed passwords are a frequent security weakness, and preventing them will make life harder for intruders.
Critical accounts should use multi-factor authentication. It prevents account hijacking even if a password is stolen.
These are just a few of the ways an IT team can reduce the chances that errors will lead to a breach.
To err is human, but people can learn to make fewer errors, and networks can be set up to prevent them from causing breaches. We provide top-quality IT services for businesses in the Charlotte and Atlanta areas, helping to keep your systems secure while you focus on your business. Contact us to learn how we can help.