Employee error to unwittingly give away privileged system access
credentials and other sensitive information to hackers facilitate data breaches
in over 90% of cyber attacks according to leading industry and government
The most common, easy, and low cost method used to steal sensitive information is spear phishing which is often a fake email asking potential victims to click a URL and fill out a form on a fake website or click on attachments and links which download malware onto the users’ computing devices leading to unauthorized access, private data exposure, theft of intellectual property, and interruption of operations.
Despite all the attention and resources that cybersecurity is receiving from the media, company management, and governments, we still fail to protect our most valuable assets from hackers because we focus too much on network security and intrusion detection technology and less on the human element of cybersecurity.
Although human error is the most common root cause of data breach incidents, organizations continue to focus on network infrastructure security and wonder why hackers continue to be successful while their organizations have invested so much in information security. Most companies have done a great job at securing their network perimeters with firewalls and intrusion prevention systems, yet the same companies fail to recognize and address the common root cause of the persistent data breach incidents which is human error and access exploitation.
Human error doesn’t just lead to access giveaway in phishing attacks. Other errors that employees and management make that facilitate security incidents include hiring criminals without proper background checks, allowing inactive and orphan accounts to exist, creating excessive number of highly privileged accounts, and sharing passwords. The best solution is a mandatory and frequent training to remind employees about the risks of violating security policies, taking devices containing confidential data out of the secure workspace which can be stolen from cars and homes, disposing of devices and data improperly, and, sending confidential files and messages through unsecured channels or to the wrong recipients.
The main reason why we ignore the statistics which point to human error as the main root cause of data breaches is the belief that only network security can stop hackers in the Internet world. This is not an accurate assessment because as organizations excessively fortify their network security, data breach incidents continue to occur. Companies are failing to address the weakest link in the information security chain which is their people as well as others who have access to systems such as vendors and customers.
Data breach incidents are abundant not because organizations do not have adequate network security measures in place but rather they fail to recognize the limitations of security technologies and recognize the employee risk factor.
The best solution for reducing employee error risks and system breaches is having a balanced security approach to recognize security technology limitations, automate security enforcement as much as possible, and, improve identity and access management processes to reduce employee errors and ultimately security breach incidents.
Organizations can improve their cybersecurity posture and reduce the number of employee errors that lead to data breach incidents by training employees who unwittingly compromise data security. Effective training can reduce employee error by teaching them and others about the latest threats and best ways to respond.