Human error: The №1 cause of Cyber Attacks.
If we could analyze all the successful cyber breaches or attacks, we will notice that almost all of them share one variable in common i.e. Human error. There are hundreds of reports stating that “95% of all cyber security attacks/breaches are caused by human error”. That’s nearly 9 out of every 10 attacks are caused due to human negligence.
There’s not a single mortal being who never makes mistakes. Making mistakes is a core part of the mortal’s living experience — it is how we grow and learn. But in cyber security, these mistakes are often overlooked. Numerous successful security attacks from external attackers who prey on mortals and their weakness to bait insiders within organizations to unwittingly provide them with access to confidential or sensitive information. Human error can manifest in a variety of ways: from having weak or easily guessable passwords to failing to install software security updates on time and turning over sensitive information to phishing emails.
These mistakes can be expensive since they involve privileged insiders who have access to the most confidential information. The most significant impact of successful security attacks involving insiders is theft of intellectual property, exposure of sensitive data, and the preface of malware. Most security threats that directly result from insiders are caused due to innocent mistakes rather than the vicious abuse of privileges.
The human factor is being exploited by attackers and plays a huge role in successful security attacks seen today, but it is not always attributed to mistakes made by insiders. Many of these attacks involve social engineering techniques to bait individually targeted users into making mistakes. According to the “ Data Breach Investigations Report,” published by Verizon, 95 percent of targeted attacks involved spear-phishing scams with emails containing malicious attachments that can cause malware to be downloaded onto the user’s computing device. This gives attackers a strong foothold into the organization from where they can move around in search of valuable information.
Nowadays, legitimate websites are being hacked since they are the sort of websites that users would trust. Compromised websites can be used in attacks that target the interests of specific groups or users. There has been an increase in watering hole attacks, as the name indicates the tactics of predators lying down and waiting for their prey at the watering holes, they are most likely to visit.
Now we understand how human error can have serious consequences, let us understand the different types of human error.
While there can be endless opportunities for human error, they can be majorly categorized into two types: skill-based human errors and decision-based human errors.
1. Skill-Based Human Error
The skill-based human error consists of minor mistakes that can occur while the end-users are performing familiar activities and tasks. In these kinds of scenarios, the end-user is conscious of the correct action that needs to be performed to avoid error but fails to do so due to a brief lapse, mistake, or negligence. This generally happens because the employee is distracted, not paying enough attention, or is tired.
2. Decision-Based Human Error
As the name suggests decision-based errors are when a user makes a defective decision. There can be several different factors that play into this: often it includes the user not having the required level of knowledge, not having adequate information about the circumstance, or not even realizing that their inaction results in them deciding to do nothing about the situation.
What factors majorly cause human error
Many factors come to play into a human makes a mistake, but most of them come down to these three: lack of awareness, opportunity, and environment.
Lack Of Awareness: A major chunk of human errors is simply caused by end-users not being aware of what the right course of action is in the first place. If we consider an example, where the users who aren’t aware of the potential risk of phishing emails are far more likely to fall for phishing attacks, and someone who is not aware of the risks the public Wi-Fi networks possess will certainly have their credentials harvested. We cannot completely blame the user for the lack of knowledge — but should be addressed by the organization to ensure their end-users have the required knowledge and skills to keep themselves and the organization secure.
Opportunity: The more the opportunity there is for something to go wrong, the higher the chances that a mistake will be made. Human error can only occur where it can occur. You might feel it’s obvious, but that is how it is.
Environment: Several environmental factors can make errors more likely to occur. The physical environment of a workplace can significantly influence the number of errors that occur while performing certain tasks or activities. Within the office, there are factors such as temperature, privacy, noise level, and posture that can contribute to a more mistake-prone environment. As the end-user would be feeling uneasy and distracted, that can lead to the end-user making a mistake. Culture plays a very important role in environmental considerations. Often end-users will be aware of the right course of action to be taken for that situation but fail to carry it out because there is an easier way to do certain things or maybe they lack to understand the importance of those things. A culture where security practices take a background seat will lead to errors becoming more and more common, which in turn could result in serious consequences.
How we can prevent human errors to secure ourselves and our organizations.
Human error occurs where it can occur, and to achieve error-free processes we would need to eliminate opportunities for errors as much as possible. But all this will go in vain if we are not able to educate the end-users on what the correct actions are and what risks these errors possess. To tackle this, it is very important to approach human error from both sides to create an absolute defense strategy.
Reduce the opportunities
Modifying your work practices, routines, and technologies to potentially reduce the opportunity for error is the very best thing to start your mitigation efforts. While the path through which you will achieve this is going to depend on the specific activities and environments of your organization, there are some common guidelines mentioned below to mitigate human error opportunities.
Privilege control: Ensures that only authorized users have access to the data and functionality that is required to perform their roles and responsibilities. This dramatically reduces the amount of information that will be exposed even if the end-user commits an error that could potentially lead to a cyber-attack or breach.
Password management: Password-related mistakes are probably the most common human error risk. Applications such as Password manager allow users to create and store strong passwords without having trouble remembering them or risk of writing them down on post-it notes. And it should be compulsory to use two-factor authentication across the organization to add an extra layer of protection to the end-user accounts.
Change the Culture
An organization with a culture that is focused on security practices is the key to reducing human error. In a security-oriented culture, security is taken into priority with every decision and action, and end-users will actively look out for and discuss security-related issues as they encounter them.
There are several things we can do to help build a security-oriented culture in an organization.
Encourage discussion. The best way to ensure that security stays at the forefront in an organization is to get people talking about it. Coming up with discussion topics on security and ensuring that they are relevant to the end user’s day-to-day work activities will more likely keep them engaged and motivate them to pursue security concepts. This will also encourage them to see what they can each do to personally help keep up the security of the organization and keep security attacks and breaches at bay.
Make it easy to ask questions: The end-users will probably come across situations where they are unsure of the security implications as part of the learning process. In these kinds of situations, it’s always wise to consult someone else with knowledge rather than making the wrong choice by themselves and risking the security of the organization. Ensuring that someone is always available to answer any kind of question from end-users in a friendly manner, and rewarding users who bring up good questions will certainly have a positive impact.
Address lack of knowledge with training
While reducing the opportunities for error to occur is vital for the organization, we must also approach the causes of error from a human perspective. Educating employees on security basics and best security practices allows them to make better decisions and enables them to keep security as a priority in their minds and seek further guidance when they’re not sure what the consequences of certain actions are.
Train employees on all core security topics: as human error can manifest in a multitude of different ways, we must train employees on the basic level of security topics that have a higher chance of encountering in their day-to-day work activities. Use of the internet, email, and social media, as well as phishing and malware training, are just some of the general topics that training should cover.
Training must be engaging and relevant: The employees have limited attention spans, and we need to ensure that their training isn’t just going to make them fall asleep. The use of image and video content in interactive training courses is far more effective than in hour-long PowerPoint sessions. Training should not come in yearly sessions which the employees will forget a week later if they are not provided with hands-on exercises regularly throughout their work life.
