Human Error: 3 Security Tips for Reducing Risk

Your workers may be your greatest security risk.

One-quarter of all data breaches last year resulted from successful social engineering attacks (when employees are manipulated into taking certain action or divulging confidential information). The human element refers to errors made by users that put information assets at risk. Common examples called out in the report include cloud misconfigurations, the use of weak passwords and the failure to implement patches. When human error and privilege misuse are combined, the human element accounted for 82% of data breaches in 2021. 

The human element of cyber security is a multi-faceted problem. So, organisations must develop a comprehensive risk management strategy, which incorporates the right security tools, incident response procedures and employee training to protect against the worst-case scenario.  

The role of human error in data breaches

 Insider threats are internal players – such as employees, supply chain partners or contractors – who put cyber security at risk. Accidental insiders do not intentionally cause harm, but do so anyway because of factors such as inattention, a lack of understanding or mistakes. 

Research shows that accidental insiders are one of the biggest threats to data security today: 

• 91% of UK companies surveyed experienced at least one successful email-based phishing attack last year – with 84% reporting email-based ransomware attacks.
• According to the DBIR, error continued to be a dominant trend throughout 2022, and is heavily influenced by misconfigured cloud storage.
• Data emailed to the wrong recipient is the most common incident type reported, making up 15% of total incidents reported across the period up to Q2 of 2022. 

ICO and General Data Protection Regulation (“GDPR”) fines over the last few years also highlight the reality of accidental insiders. In Q3 of 2022, 2,404 breaches reported to the ICO were a result of “mistakes by users”. 

NHS COVID-19 example

In 2020, a Google Drive containing sensitive information about the NHS COVID-19 contact tracing application was left open for public viewing. In that instance, it appeared that an NHS employee uploaded the documents to Google Drive without checking that the configuration settings were private, leading to the leak.

How the accidental insider causes data breaches and leaks

There are numerous ways in which a breach or leak could occur – such as: 

• An employee opening a malicious phishing email that leads to a malware attack
• Poor password practices that enable cyber criminals to break into an organisation
• Accidentally sharing, deleting or modifying sensitive data
• Using personal devices and third-party applications without the IT team knowing
• Failing to apply security updates

3 steps to protect against human error

Changing employee awareness, behaviour and culture doesn’t happen overnight. It requires training, contextual insight and an understanding of the impact that specific controls can have before they are implemented. It is important to find the balance between worker productivity/ efficiency and risk control. 

For a comprehensive view on how to protect your organisation from insider threats and other cyber attacks, we recommend reviewing NIST’s Cybersecurity Framework and/or the National Cyber Security Centre’s (“NCSC”) 10 Steps to Cyber Security. Both offer guidelines and best practices for protecting organisations from the data loss associated with insider threats. 

Below are  three key considerations for protecting against human error: 

1. Monitor user behaviour and access privileges 

A 2019 report from the SANS institute identified two significant gaps in insider threat defences: a lack of visibility into user behaviour, and a lack of privileged access management. These gaps are the most likely to enable attacks like phishing and use of compromised credentials. 

To mitigate these risks, security solutions such as User Behaviour Analytics (“UEBA”) and privileged access control should be implemented. UEBA works by using AI and data analytics to review user activity and spot any risky behaviour – such as a user attempting to download documents that they shouldn’t be accessing or sending a sensitive file to an unsanctioned email address. The software can then alert your IT personnel so that they can educate the end user. Some solutions even prevent the user from completing the risky action and flag that they will need authorization to continue. 

Privileged access controls are based on the principle of zero trust security – which governs that users should have as little access privileges as necessary to carry out their job. In the battle against compromised passwords and email accounts, privileged access management is essential to limiting data loss. 

2. Educate your users about the risks of phishing and other cyber attacks

Recent Ponemon research found that 63% of insider threats are caused by employee or contractor negligence. The best way to combat this negligence is through the ‘ABC’ of security improvement: awareness, behaviour modification and an improved security culture. This can be achieved through a combination of formal training, informal awareness sessions, updates, guidance and assurance exercises, like employee phishing tests.

Chances are your organisation already has a cyber security training programme in some form such as an  e-learning course or similar. While there’s nothing wrong with e-learning courses or an annual cybersecurity offsite, it’s important that you don’t treat training as a tick-box exercise. For it to have a positive impact, employees need to find training engaging and worthwhile.

At Evalian, we advocate dynamic, ongoing and tailored cyber security training to minimise the risk of accidental data loss. This is because every organisation is unique, meaning that blanket training programmes will never quite fit the idiosyncrasies of individual companies. 

What’s more, any cybersecurity efforts that reduce employee productivity aren’t likely to stick. So it’s best that training is bite-sized but regular, having a minimal impact on your employees’ workflow.  

3. Protect data at the source and plan for the worst 

As NIST’s cybersecurity framework notes, to protect your company from insider threats, you need to understand what data you have and protect it. Aim to identify what sensitive data your organisation holds, how it is stored, who has access to it and why, and what protections there are to safeguard it. 

Implement solutions like encryption, privileged access management and data loss prevention to protect sensitive data from both insider and external threats. 

Put in place incident response procedures preempting the worse-case scenario. Create a detailed plan of how your company will react to a cyber security incident so that you can take a quick, measured approach to preventing data loss or a breach. 

In the increasingly digital world of business, accidental insider threats are a fact of life. However, these mistakes do not have to lead to a costly data breach. With the right proactive strategy and tools, your company can ensure that the risks associated with human error are mitigated.