Most security incidents are caused by human error. So what human error prevention steps can your business take?
Is it average cloud uptime? The compound annual growth rate of mobile devices? Nope — it's the number of security incidents that involve human error, according to technology giant IBM. For many businesses, this comes as a surprise. Surely external threats outpace internal issues, right? Not even close.
It makes sense once you dig down: Advanced security controls and emerging artificial intelligence tools make it more difficult for hackers to slip in unnoticed, but by leveraging technology's natural weak spot — people — malicious actors can easily breach networks and compromise critical systems. Here's how you can boost human error prevention at your organization and solve the 95 percent problem.
The bad news? Human error is inevitable. As the Harvard Business Review notes, "We're only human, and at exactly the wrong time." In many cases this error isn't malicious but instead borne of simple ignorance, lack of training or lack of attention — typical human traits that can have serious consequences.
But there's good news, too. Better security policies can help eliminate the bulk of human-driven threats. Start with the obvious one: Passwords. Opt for long-string passwords (eight characters or more) that must include symbols and numbers. Or, have staff create passphrases that aren't easily guessed by attacker-controlled bots trying for brute-force access. Then make sure that employees change passwords regularly. Lock users out if they don't create a new password after a specified amount of time, and implement controls that flag weak passwords. Seems excessive, right? Not when the top passwords out there are still "123456" and "password." Yikes.
In some cases, staff don't know they're making errors which could lead to serious data breaches. Consider that according to eSecurity Planet, 78 percent of U.S. healthcare firms were hit with email cyberattacks in 2017. These "phishing" attacks are often sophisticated and slick, designed to look just like legitimate emails from C-suite executives or financial institutions. Staff may click on what seem to be innocuous links or download supposedly "necessary" updates loaded with malware. Here, simple rules go a long way:
- Never open attachments unless you are confident of the sender's identity.
- Never follow in-email links.
- Never activate macros if a downloaded document is open (or better still, have IT disable macros altogether).
According to research firm Gartner, mobile device adoption in the workplace is "not yet mature," but that doesn't stop staff from expecting business-level access on personal devices. The result is that these devices become common points of compromise. So businesses need software tools capable of tracking all devices on their network, all the time — including phones, tablets and laptops — along with the ability to lock or remotely wipe devices as needed. Make it clear that this is the price of admission: If employees want full access, they must allow basic security measures. A written and clearly communicated policy is essential.
The IBM study notes that simple misconfigurations by network admins can result in data breaches, while CSO Online points out that system admins can also be the root of malicious insider threats. That's why it's critical to find staff, vendors and/or contractors you trust to handle IT security management. This includes managing new devices, removing old devices from the network and ensuring that users are following current policy. Better still, leverage automation along with human oversight to limit the risk of data entry or analysis error, in turn giving IT staff more time and space to manage users.
Hackers want in, and the 95 percent problem is their best bet. Boost human error prevention to limit attacker opportunities.
SIGN UP FOR THE THRIVE NEWSLETTER