Human Error, its role in security breaches

The Situation

Security breaches cost companies roughly $600 billion in 2015. 95% of those breaches were tied to human error. Most employees are not actively seeking to cause their companies harm. As far as the risk that these workers create for their organizations, much of it centers on simple human error, inconsistent adherence to security policy — often without knowing it — and mistakes related to behaviors, such as password sharing and recycling, that everyone is used to from life outside of work. Examples of these types of accidental risks include:

  • employees inserting an infected USB into a corporate computer;
  • employees duped by phishing attacks; and
  • employees discussing confidential company information in public spaces.

The Problem

Human error wastes time and is costly for businesses. According to a broad survey of IT security practitioners in the U.S., unintentional employee negligence causes more security incidents than intentional actions by malicious actors.

Wasted Time

  • Security professionals spend roughly 3 hours per day responding to security risks caused by employee negligence or mistakes.
  • Further, a recent survey found that security professionals waste about two hours per day responding to actual security issues due to carelessness and negligence of employees.

High Costs

  • A recent Raytheon/Ponemon study found that companies spend $1.46 million in wasted time each year to resolve security incidents caused by employee negligence or mistakes.
  • The same study found that certain companies can spend up to $1.5 million resolving security incidents caused by human error.
  • Companies estimate that a 50% reduction in employee negligence would save an average of 31% in their IT security budget.

Human Error in the News

  • In June 2016, the Wall Street Journal reported Mark Zuckerberg’s Twitter and Pinterest accounts were hacked due to two factors — his reuse of a very weak password. He did not follow his own company’s guidance about not reusing Facebook passwords for other sites.
  • Amazingly, Zuckerberg reused “dadada” as his password for both his Twitter and Pinterest accounts.
  • In June 2016, ESPN reported that a Washington Redskins trainer’s laptop was stolen after he left it in his car. A thief broke into the trainer’s car and stole his backpack containing a laptop, zip drive, and a hard copy of the medical records of thousands NFL players. The laptop had the medical records of NFL players who went through the NFL’s scouting camp between 2004 and 2016.
  • In May 2016, The Board of Directors of FACC, the Boeing and Airbus supplier, fired its CEO of due to errors made in connection with what it called a “president fraud incident” that the firm discovered in Jan. The attackers tricked FACC financial controllers into wiring €52.8m to fraudsters during what appears to be several transactions. FACC said that its share price had fallen 38% since the incident.

Solutions

A recent study found that security professionals agree that awareness training is the most valuable way to reduce human error. Yet, according to Gartner, traditional security awareness training programs often fail to improve a company’s security. Security professionals are aware of this discrepancy, and are reluctant to throw good money after bad.

  • Nearly half of all companies don’t have security awareness training;and
  • $1 billion of total cyber spending is spent on awareness training. On the other hand, $74 Billion is spent on everything else

Security awareness campaigns need to successfully change employees behavior over the long term. To do this, companies must have a complete, ongoing strategy and well-defined, measurable objectives that stem directly from an organization’s major risks. The ability to deliver the right training experience to the people who need it, when they need it, will transform the security awareness market and drastically improve enterprise security outcomes that are dependent on employee behavior.

To that end, look for a solution that offers an engaging platform built to transform a company’s security culture from a culture of basic compliance to a culture of commitment. Once that type of solution is in place, employees will now actively safeguard company information because they understand why it’s important and know their individual actions make a difference

Works Cited

  1. Mcafee. “Net Losses: Estimating the Global Cost of Cybercrime.” Mcafee. Mcafee, June 2014.
  2. Howarth, Fran. “The Role of Human Error in Successful Security Attacks.” Security Intelligence. Security Intelligence, 2 Sep. 2014.
  3. Ponemon Institute LLC. “The Unintentional Insider Risk in United States and German Organizations.” Ponemon Institute LLC.Ponemon Institute LLC, July 2015. Sponsored by Raytheon/Websense.
  4. Ponemon Institute LLC. “The Unintentional Insider Risk in United States and German Organizations.” Ponemon Institute LLC.Ponemon Institute LLC, July 2015. Sponsored by Raytheon/Websense.
  5. Ponemon Institute LLC. “The Unintentional Insider Risk in United States and German Organizations.” Ponemon Institute LLC.Ponemon Institute LLC, July 2015. Sponsored by Raytheon/Websense.
  6. Ponemon Institute LLC. “The Unintentional Insider Risk in United States and German Organizations.” Ponemon Institute LLC.Ponemon Institute LLC, July 2015. Sponsored by Raytheon/Websense.
  7. Ponemon Institute LLC. “The Unintentional Insider Risk in United States and German Organizations.” Ponemon Institute LLC.Ponemon Institute LLC, July 2015. Sponsored by Raytheon/Websense.
  8. Ponemon Institute LLC. “The Unintentional Insider Risk in United States and German Organizations.” Ponemon Institute LLC.Ponemon Institute LLC, July 2015. Sponsored by Raytheon/Websense.
  9. Keim, John. “Stolen laptop of Redskins trainer contained players’ medical info.” ESPN. ESPN, 2 June 2016.
  10. Cobb, Michael. “2015 Strategic Security Survey.” InformationWeek. InformationWeek, 1 Sep. 2015.
  11. Walls, Andrew. “Short, Focused and Just-in-Time Approaches to Security Awareness.” Gartner. Gartner, 28 December 2012.
  12. Andrew Wells. “Title” 2016. Gartner. Gartner, 2016
  13. CompTIA. “Trends in IT Security.” CompTIA. CompTIA, March 2015.