According to multiple recent studies, human error is the single largest root cause of all security breach incidents. In one study, human error was responsible for as much as 95% of all security breaches. But not all human errors are malicious. About 60% of all human errors which resulted in data breach incidents were in fact innocent mistakes.
The second largest contributor to data breach incidents was hacking but some argue that hackers are often successful because human error facilitates hacking such as when social engineering attacks lure employees and others within organizations to unwittingly provide access information to sensitive information. As much as 95% of targeted attacks on employees and even customers involve spear-phishing scams with emails containing malicious attachments that can install malware onto the user’s device.
Some of the leading errors made by employees include sending sensitive documents to unintended recipients and transporting unprotected data. Mostly, employees contribute to security breaches because they:
The impact of human error is greater when such errors are made by employees who have privileged access such as system and network administrators. The most common human errors made by such employees are:
Impact of Human Errors
The three areas of impacts from successful security attacks involving human errors are:
Often, companies solely focus on technical aspects of their response to the data breach threats such as deploying Intrusion Detection and Prevention Systems, and tightening their firewall configurations. However, the main lesson that companies can learn from the results of these studies is that if they can improve the awareness and knowledge of their employees, they can reduce the occurrence of data breaches in their organizations by as much as 50%. But this is easier said than done.
To be effective, companies must invest in a balanced combination of technology, processes, and training to reduce their risks. For example, as companies focus on technology to reduce the risks such as deploying Data Loss Prevention or DLP systems to mitigate data loss in emails and USB flash drive, it’s important that they also educate and remind employees about taking the following actions to reduce human error risks:
Most surveyed in the recent studies agreed that having some type of security training as part of the employee orientation as well as ongoing reminders regarding best practices, their responsibilities, and consequences of non-compliance is critical to inform and engage employees.