- hello@group8.co
- 12 Marina View, Singapore
To err is human. As such, people will make mistakes time and time again, and it is a core part of the human experience necessary to grow and learn. However, these mistakes are generally overlooked in cybersecurity.
According to an IBM study, 95 per cent of cybersecurity breaches stem from human error - for instance, if there was a way to eliminate it, 19 out of 20 breaches could be prevented. This raises the question: why is human error responsible for numerous breaches, and why do existing solutions fail to address it? Read on as we delve deeper into human error and the precautions organisations can take to improve their employee's cyber behaviour.
In the context of cybersecurity, human error is defined slightly differently compared to its general term usage. Human error, in this case, means unintentional actions or a lack of it by users that allow, spread, or cause a security breach to occur. These actions encompass many things, from using weak passwords to unwittingly downloading malware.
Given the advancements and increasing complexities in work environments, employees must now use more tools and services to be efficient. More often than not, however, they require one to remember unique username/password logins. These all add up, and employees tend to take shortcuts to make life more convenient for themselves in the absence of secure alternative solutions.
On top of struggling with taking the right actions, employees must also be constantly alert for cyber threats that affect their decision-making. Social engineering remains a prevalent form of cyber attack that exploits people's gullibility to hand over sensitive information willingly.
Although there are innumerable ways human error can take form, each can be broadly categorised under decision-based errors or skill errors. What separates the two largely comes down to whether a user possesses the knowledge necessary to do the right action or not.
1. Decision-based errors
These errors occur when users make a faulty decision. Many factors can lead to such decision-making, such as lack of the necessary knowledge, information about certain circumstances, and even realisation of making a decision through inaction.
2. Skill-based errors
In contrast, skill-based errors occur due to everyday mistakes when doing familiar tasks and activities. In these instances, users are well-aware of the right action but fail to do it due to either a simple, honest mistake, negligence, or a temporary lapse. These may occur when employees are, for example, fatigued, distracted, not paying attention, or otherwise experience a brief lapse in memory.
● Password problems
For most, remembering multiple passwords poses a considerable challenge. According to the National Centre for Cyber Security 2019 report, weak passwords continue to be used by many. It states that '123456' remains the most commonly used password globally, and 45 per cent of people reuse the password of their primary email account for other purposes.
● Patching
New exploits in software surface all the time, and thus developers race to fix the vulnerabilities in their service and patch them through updates. This is why it is essential to install security updates as soon as they become available. Unfortunately, many people still delay these updates, which often leads to dire results.
One example is the WannaCry ransomware attack in 2017 that affected numerous systems worldwide and cost millions of dollars in damages. However, Microsoft had already patched the 'EternalBlue' exploit used by the ransomware months before the attack. Therefore, if the security patch had been installed when they went live, said damages could have been easily prevented.
● Misdelivery
Misdelivery is sending something, primarily email messages, to the wrong recipient and is one of the most common threats to corporate data security. According to a 2018 breach report published by Verizon, misdelivery ranked fifth among the most common causes of all cybersecurity breaches.
One case of a high-profile data breach that stemmed from human error was when a National Health Service practice in the UK revealed the email addresses and the names of almost 800 patients who visited HIV clinics. The error occurred when an employee tasked with sending an email notification to these patients accidentally inputted their addresses in the ‘To’ field instead of ‘Bcc’, thus exposing their details to one another.
● Promote a cyber-aware culture
By cultivating a security-focused culture, organisations can instil security in the forefront of their employee's minds and train them to consider the security ramifications of their every decision and action or inaction. Encouraging open discussion, making it easy to ask questions, and sending out reminders are only a few ways organisations can change their security culture for the better.
● Reduce opportunities for human error
There are plenty of ways to reduce the opportunities for human error, and the best place to start one's mitigation efforts is by systematically changing work routines, practices, and technologies. For instance, privilege control protocols ensure users only access data relevant to their roles and minimise the amount of information that may be exposed if a breach happens due to their error.
● Address the lack of knowledge through training
Besides reducing opportunities for error, organisations should also approach their causes from a human angle. With relevant training and education, employees can make better decisions and employ modern best practices for various situations. Moreover, when they are uncertain about the consequences of a given action, they will be more inclined to seek guidance instead of making a questionable decision.
Humans are generally regarded as the weakest link in the entire cybersecurity chain. However, if even small steps in reducing human errors can lead to substantial improvements in security, bigger efforts will undoubtedly lead to greater results.
To achieve a robust overall cybersecurity posture, organisations must address human errors and bolster their cyber defences. Here at GROUP8, we can help strengthen the latter with our comprehensive ecosystem of innovative cybersecurity services in Singapore that can be tailored to your organisational needs. Learn more about our offensive-inspired solutions today by reaching out to us at hello@group8.co.