How do we guard against human error without limiting employee efficiency and productivity?

According to data revealed in Verizon’s 2019 Data Breach Investigations Report, 21% of data breaches can be traced back to a human error, this was only second to phishing/malware, which sits at 31% of data breaches.  

Employees continue to make mistakes, with many not realising how damaging and dangerous the ramifications can be for an organisation’s data.  

Human errors in your cybersecurity protocols can impede operations, cause a data breach, impact your finances, and even damage your reputation. In fact, recent studies reveal that 70% of health organisations see human error as the top threat to their information security, with 52% of the IT trade industry saying the same thing.  

It is, therefore, imperative that management and data protection officers put measures in place to prevent employee mistakes rather than just deal with the fallout. 

In today’s article, we will explore data on employee cybersecurity mistakes and how we can guard against them without limiting employee efficiency and productivity.  

The ramifications of human error 

No matter how sophisticated and comprehensive your security solutions and written protocols may be, if your employees are taking shortcuts, not following processes, or are not even aware of the security behaviours you are looking for, their actions will inevitably lead to a data breach. 

Responding to a phishing email, publicising confidential information, advertising business activities on social media, or not restricting access to sensitive information all adds to the cost of data breaches, which pales in comparison to the havoc caused by hackers 

And whilst the cost of data breaches because of human error, pales in comparison to active breaches caused by hackers, Ponemon Institute’s 2019 Data Breach Report reveals the average cost of a breach due to human error is $3.5 million. 

The report also highlights that 24% of data breaches were caused by employee and contractor negligence. Here, negligence refers to actions such as falling for phishing attacks or having your IoT (Internet of Things) device hacked, lost, or stolen. 

Worryingly, the report also states that it takes organisations a staggering 242 days to identify and resolve these issues, because of slow reporting of breaches and employee obliviousness to cybersecurity issues.  

What human errors are we trying to prevent? 

If we identify the human errors that are causing holes in your cybersecurity culture, we can address them with training and development at source … rather than waiting for a breach to occur before we become active security champions.  

There are two types of human error: skill-based and decision-based. Skill-based errors refer to small mistakes during a familiar task caused by distraction, tiredness, or lack of attention. Whilst decision-based errors are bigger mistakes caused by gaps in knowledge or a lack of training.  

The most common mistakes employees make when handling organisational data and operating on work systems are: 

1. Using weak passwords: Do you have a clear and concise password management policy? It is recommended to establish clear rules on what you consider as strong passwords/passphrases and distribute this effectively amongst your employees to teach them how to properly make, handle, store, and update passwords. If you are not encouraging a strong password culture at work, you will be allowing hackers to easily access accounts using phishing or brute-force attacks. Employees should also be made aware of the dangers of keeping passwords open on platforms such as notepads, word documents or even social media, whilst also armed with the correct way to share passwords (when required to access a shared site) and update them regularly.  

2. Handling sensitive data: If your employees are working in a data-heavy environment, a small mistake can lead to a massive data leak. As a result, any negligence, tired thinking or misunderstanding of data value can be very disruptive. The behaviours that need to be addressed or trained out include accidental deletions, handling files outside of your permission level, sending information to the wrong recipients, making unauthorised changes, and not backing up critical data on a regular basis.  

3. Using outdated software: You would be amazed to know how many organisations are still sitting on and using old software, and these organisations are (or could become!) a hacker’s best friend as vulnerabilities and backdoors have yet to be patched. When employees ignore software updates, or disable security features or download unauthorised software, they are opening a whole new attack surface for unscrupulous individuals to take advantage of.  

4. Acting despite a lack of cybersecurity knowledge: This is a large-scale cause of breaches but perhaps the most important. All employees must work with the understanding that they are also agents of security. Employees follow basic health and safety rules at work, but they must also understand basic security rules. Of course, we want them to be fully concentrated on their work, but they must also pay attention to the potential consequences of their actions. If an employee does not have the basic security awareness and training, they could click on suspicious links unwittingly, use personal devices to handle sensitive data, be breached using a public network, plug in nefarious devices into a central system or even case massive data loss because of unauthorised changes.  

What are the common excuses for employee negligence? 

There are many reasons provided for human error breaches, and we must take them all into account if we want to safeguard against and prevent them. They include: 

• Overwhelmed by work: Employees are so concentrated on their current task/campaigns that they put off updates and security checks as it slows them down. 
• Unfortunate timing: Employees are hit with update reminders at times that they would rather keep reserved for their work before this develops into a habit of ignoring them forever.  
• No time: Employees are not given enough time to digest security policies or learn new software. As a result, they stick with old and outdated software and practices, thus creating vulnerabilities.  

• Lack of knowledge: Employees fundamentally do not understand the risks of their actions and do not think twice or realise that their actions constitute weak security behaviour.  
• Additional Factors: Other additional factors to consider include new hires catching up to the security protocols, crunch time causing rushed jobs and actions, and personal factors such as family issues, mental health, and general wellbeing which can all distract or divert attention from secure behaviours.  

How to help prevent human errors? 

We have established that it is better to prevent human error rather than deal with the consequences. So, just how do we mitigate human mistakes in cybersecurity? With a holistic training, development, and deployment strategy for all employees! 

• Regularly update your security policy: Your security policy should be clear, concise and cover the main cybersecurity risks; from phishing to passwords, software updates to handling sensitive data, your security policy must be regularly revised and checked to reflect best practices and keep employees aware.  
• Educate employees: It is simply not enough to tell your employees of the threats they face. They need to see it in action, understand how dangerous a breach can be and how expensive a human error is. When educating an employee on this, relate each specific risk posed by an error to your organisation’s data with a scenario-based example to ensure everyone understands how the risk relates to them. This will ensure everyone is motivated to follow the rules. 

• Privileged access: If you are handling data that should only be accessed by those permitted to, setting up privileged access on a case-by-case basis is an effective way to stop accidental leaks and deletion.  
• Require strong IT security from vendors: When organisations work with outside vendors, they need to ensure their security is up to standard as well. For example, recently Target’s systems were hacked when their HVAC Vendor became an entry point for hackers. It is especially important for organisations to communicate on their security protocols and strategies to ensure that both are working in tandem and not leaving attack surfaces open for business.  

Conclusion: change your culture! 

The human firewall needed to prevent cybersecurity breaches is still a serious threat to organisational security and data protection. When we understand why employees exhibit poor security behaviours and what these behaviours are, we can put measures into place to prevent data loss or compromise. 

TSC's SABR (Security Awareness and Behaviour Research) tool could help you determine what your employees actually do across 5 dimensions of security (engagement, authentication, data privacy and handling, physical security, and organisation culture) rather than what they say they do and therefore find the gaps, risks, and threats most prevalent to your organisation's security maturity. 

A security-first culture is key to reducing human error. Training AND awareness are key steps to encourage a workforce of security champions. Encouraging informal discussions about the risks and consequences of poor security, knowledge sharing of best practice and making it easier to report incidents, near misses and potential risks as well as signposting, timely reminders, keeping training updated and addressing new emerging threats will all contribute to creating a more robust security culture. 

Humans no longer have to be the weakest link of security culture. If we mitigate them by reducing the opportunity and educating our employees, we can safeguard organisations and businesses in the long term.  

Building cybersecurity awareness, especially in relation to emerging threats and GDPR, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across.

If you would like more information about how The Security Company can support you to minimise the risks your organisation is facing, please contact Jenny Mandley.