Security Risks of Human Errors

By Henry Bagdasarian

According to multiple recent studies, human error is the single largest root cause of all security breach incidents. In one study, human error was responsible for as much as 95% of all security breaches. But not all human errors are malicious. About 60% of all human errors which resulted in data breach incidents were in fact innocent mistakes.

The second largest contributor to data breach incidents was hacking but some argue that hackers are often successful because human error facilitates hacking such as when social engineering attacks lure employees and others within organizations to unwittingly provide access information to sensitive information. As much as 95% of targeted attacks on employees and even customers involve spear-phishing scams with emails containing malicious attachments that can install malware onto the user’s device.

Major Human Errors

Some of the leading errors made by employees include sending sensitive documents to unintended recipients and transporting unprotected data. Mostly, employees contribute to security breaches because they:

  • fail to follow policies and procedures,
  • act carelessly when dealing with information requests,
  • share IDs and passwords, and
  • collect, retain and share data excessively and inappropriately.

The impact of human error is greater when such errors are made by employees who have privileged access such as system and network administrators. The most common human errors made by such employees are:

  • system mis-configurations,
  • poor patch management practices,
  • the use of default names and passwords,
  • not addressing system vulnerabilities,
  • lacking technical expertise in some areas and knowledge of threats, 
  • Lack of review and monitoring of access, and
  • failing to follow policies and procedures.

Impact of Human Errors

The three areas of  impacts from successful security attacks involving human errors are:

  • exposure of sensitive data,
  • theft of intellectual property, and
  • the introduction of malware

Solutions

Often, companies solely focus on technical aspects of their response to the data breach threats such as deploying Intrusion Detection and Prevention Systems, and tightening their firewall configurations. However, the main lesson that companies can learn from the results of these studies is that if they can improve the awareness and knowledge of their employees, they can reduce the occurrence of data breaches in their organizations by as much as 50%. But this is easier said than done.

To be effective, companies must invest in a balanced combination of technology, processes, and training to reduce their risks. For example, as companies focus on technology to reduce the risks such as deploying Data Loss Prevention or DLP systems to mitigate data loss in emails and USB flash drive, it’s important that they also educate and remind employees about taking the following actions to reduce human error risks:

  • stay up to date with security and privacy policies,
  • follow procedures,
  • avoid sharing ID and password,
  • minimize data mismanagement, and
  • ask for information when unsure.

Most surveyed in the recent studies agreed that having some type of security training as part of the employee orientation as well as ongoing reminders regarding best practices, their responsibilities, and consequences of non-compliance is critical to inform and engage employees.

Learn about solutions to reduce security risks related to human errors.

Identity Management Certifications

Identity Theft Courses