CYBERS #1 VULNERABILITY IS YOU!

 

According to a recent study by IBM, human error is the main cause of 95% of all cyber security breaches (Ahola, 2019). If human error were somehow eliminated from the equation, 19 out of 20 data breaches may not happen at all! Human error can occur in various ways that include but are not limited to: weak passwords, out of date software and patches, and falling victim to phishing attacks (Hacker News, 2021). The list of cyber-attacks and data breaches caused by human error is astronomical and would be nearly impossible to document every single breach caused by human error.

One example is in 2018, the Department of Defense (DOD) sent out an unencrypted email via their Defense Travel System (DTS) to the wrong distribution list. In this email, there was the personal identification of approximately 21,500 Marines, sailors, and civilians, including their personal bank account numbers, truncated social security numbers, and emergency contact information (Bisson, 2020). Not only did this data breach violate the personal information of thousands of people but could also be considered a national security risk.

Because human error has been and will continue to be the biggest weakness in cyber security, organizations must thoroughly protect against it. Human error means the unintentional – or lack of action – by employees and users that cause, spread, or allow a security breach to take place (Ahola, 2019). There are two types of human errors: skill-based and decision-based errors. Skill-based error includes slips and lapses in judgement when performing familiar tasks; this is due to lapse of judgement, mistake, or simple negligence. Decision-based errors occur when the users make a faulty decision, this can be due to lack of knowledge, or not realizing they are making a bad decision through their inaction (Ahola, 2019).

When making a plan for enterprise security architecture, human error should be a main area to establish controls over to help prevent these types of breaches. Security awareness and training will help educate the users on common mistakes that can and do occur due to lack of security awareness knowledge. However, it doesn’t do nearly enough to protect against these types of errors. Security controls must be put in place to prevent human error from occurring (EKU Online, 2018). Some of these additional security controls include:

Multifactor identification and authentication management – This requires more than one single point of authentication when accessing system resources, applies the least privilege rule when granting access to system resources, and can include adding additional authentication requirements such as biometrics.

Network Management – Understanding the network topology, what technologies the network uses, and how security can be applied at the network level to keep hackers from gaining access to system resources.

System Monitoring and Surveillance – This includes identifying breaches quickly and accurately so that they can be contained. This is achieved by both machine and human interaction; machines collect the data and humans analyze it to determine the risk.

Breach Detection – This step occurs unfortunately after the breach has occurred but with quick detection, the impacts can be minimized. There is breach detection software that identifies odd behavior that could be a sign of a data breach.

Encryption – If proper encryption is used by an organization, hackers cannot insert themselves between email servers to intercept and read email. In the event of a data breach, encryption can also make stolen or compromised data unreadable.

Unfortunately when humans are involved, there is always a chance for human error. These chances can be greatly reduced by proper and frequent user training, and implementing system controls that limit the amount of damage that can be done. These mitigation strategies need to be analyzed and worked into the enterprise security architecture to help protect organizations from the largest cyber security threat out there… you!

 

References

Ahola, M. (2019, April). The role of human error in successful cyber security breaches. usecure Blog. Retrieved March 7, 2022, from https://blog.usecure.io/the-role-of-human-error-in-successful-cyber-security-breaches

Bisson, D. (2020, October 15). 7 data breaches caused by human error: Did encryption play a role? Venafi. Retrieved March 7, 2022, from https://www.venafi.com/blog/7-data-breaches-caused-human-error-did-encryption-play-role

How to reduce human error and increase information security. EKU Online. (2018, November 29). Retrieved March 7, 2022, from https://safetymanagement.eku.edu/blog/how-to-reduce-human-error-and-increase-information-security/#:~:text=The%20first%20way%20is%20to,criminals%20bent%20on%20breaching%20security.

Why human error is #1 cyber security threat to businesses in 2021. The Hacker News. (2021, February 4). Retrieved March 7, 2022, from https://thehackernews.com/2021/02/why-human-error-is-1-cyber-security.html