Deep Web Iceberg Myth Debunked
Threat Intelligence Educational Content
Why the Iceberg Metaphor is Wrong The iceberg model suggests a sinister hierarchy, implying that things get …
The sad truth is history is filled with data breaches that were caused by simple mistakes.
A joint study by Stanford and Tessian answers the age-old question of what percentage of data breaches are caused by human error.
The study found that employee mistakes cause 88 percent of data breach incidents.
According to an IBM Security study, that number is closer to 95 percent.
And all of this is despite organizations significantly increasing their security budgets over the last ten years.
With the increasing number of breaches stemming from human error, it’s clear that our current approach to security isn’t working.
There has to be a better way.
That’s what we’re going to cover below. You’ll learn about common types of human error that cause data breaches, as well as the best ways to prevent them from happening in your organization.
Human error (in the context of cybersecurity) refers to unintentional actions or lack of actions by employees or individuals that lead to a security breach or failure in a computer system.
This is a pretty wide definition and encompasses a large number of actions.
Human error can be anything from running a malware-infected attachment to failing to apply security patches on production servers.
Perhaps this helps explain why it’s a difficult problem to solve.
Based on data from the Psychology of Human Error 2022 report, the following reasons were given why the human error was made:
Despite the infinite number of ways humans make mistakes, most can be categorized into skills-based and decision-based errors.
Understanding how each type of error occurs is crucial to understanding how they can be prevented.
These errors are typically associated with the execution of a task and are often due to a lack of technical skills required for a specific task.
They are more about “how” a task is performed.
For example, a skill-based error might involve incorrectly configuring a firewall or forgetting to enable a security setting on a server.
These errors tend to happen when performing familiar tasks and often occur when an individual performs a task automatically without much conscious thought, leading to the slip.
These errors are related to decisions made, often under conditions of uncertainty or lack of information.
They are about the “why” or “what” of an action.
An example of a decision-based error could be clicking on a suspicious link in a phishing scam, mistaking it for a legitimate email, or marking an endpoint security alert as a false positive due to underestimating or misunderstanding the full consequences of the alert.
These errors are usually the result of an incorrect assessment of a situation, leading to a poor decision.
RECOMMENDED READING: 7 Most Common Types of Data Breaches
When it comes to cybersecurity defense, humans are often the weakest link.
While breaches can occur in many forms, here are ten common examples of human error:
(Based on data from the Psychology of Human Error 2022 Report)
The main factors that contribute to or cause human error can be split up into three categories: opportunity, environment, and lack of training.
Unlike computers, people are fallible. No amount of training can guarantee that humans will make the right decision over time.
Over time, employees tend to become complacent, especially when performing routine tasks, leading to a lack of attention to detail.
The more opportunities we give people to make security decisions, the higher the chances that, at some point, they will make the wrong one.
There are many environmental factors that increase the chances of human error.
Here’s a list of the common ones:
The likelihood of a mistake being made increases when staff aren’t aware of the risks or haven’t been adequately trained on what to do.
For example, employees who don’t recognize phishing attacks are far more likely to fall for them.
It’s important to note the lack of awareness is rarely the employee’s fault.
Organizations need to periodically offer employees training based on their specific roles as well as the unique cybersecurity threats the company faces.
The training should focus heavily on hands-on exercises and simulations to help drive home theoretical concepts.
A combination of opportunity, environment, and lack of training often causes human errors.
If we can eliminate the opportunity for human error, we’ll drastically reduce the number of mistakes made.
At the same time, employees will only make the right decisions if they know the risks and the proper action to take given a particular situation.
We can drastically reduce our risk by implementing a multi-faceted approach targeting the opportunity, environment, and proper training.
RECOMMENDED READING: What A Company Should Do Ater a Data Breach
Implement technical controls that prevent people from making bad security decisions.
The specific technical controls are highly dependent on the environment, but here are some common controls that should be put in place:
There are several ways to create an environment conducive to productive work.
Providing adequate lighting, maintaining a comfortable temperature, ergonomic workstations, and reducing excessive noise can help improve your employees’ ability to focus and make sound decisions.
Designing office layouts that minimize interruptions and distractions is crucial. For instance, having designated quiet areas or private spaces can help employees who handle sensitive tasks concentrate better.
Monitoring and regulating your employee’s workload is also essential to prevent fatigue and stress.
Allowing for flexible scheduling and encouraging regular breaks can help mitigate the effects of long hours and high-pressure situations, which are often precursors to human errors.
Finally, providing employees with the right tools can significantly reduce the frustration and errors caused by trying to get a job done with the wrong toolset.
After reducing the opportunity for errors and creating an optimal work environment, we need to focus on education.
Enable employees to make better decisions by training them on security basics and best practices.
People have limited attention spans thus training has to be highly engaging and relevant to their roles.
Interactive training that gamifies the content and has a strong hands-on element can increase engagement and make learning more effective.
It’s important to note that training needs to be an ongoing process rather than a one-time event.
Regular testing can evaluate the training’s effectiveness. For example, simulated phishing exercises can identify areas needing more focus in future training.
When it comes to defending your network, Humans can be the strongest link.
While studies show that 95% of cybersecurity breaches are caused by human error, they also highlight a clear path to reducing those breaches.
The key lies not just in increasing security budgets to purchase more hardware but also in using part of that budget to address the human element as well.
The combined approach of introducing technical controls, improving the overall work environment, and continuous, gamified training can create a strong security culture.
This approach not only improves the company’s overall security posture but also empowers employees to act as proactive defenders against cyber threats.
Ultimately, our goal is to transform employees from being the weakest link in cybersecurity to our strongest asset.
Threat Intelligence Educational Content
Why the Iceberg Metaphor is Wrong The iceberg model suggests a sinister hierarchy, implying that things get …
Dark Web Monitoring Security Tools
Credit Card Fraud on the Dark Web Credit card fraud on the dark web operates quite differently from what many people …