Tighter data protection regulations have forced businesses to put data security at the top of their priority list. However most companies still lack a strong cybersecurity culture among their employees. In fact, a recent paper by Osterman Research reports that less than half (42%) of organizations train their employees on the General Data Protection Regulation (GDPR), even though it came into force many months ago. Even fewer — only 18% —have a program in place to train their employees on the California Consumer Privacy Act (CCPA); it will come into force in 2020, so they probably think they have plenty of time.
Lack of training increases the risk of human errors that lead to data breaches. Fortunately, there are tools and techniques that can help you mitigate the risk of human errors and their consequences. Here are the most common errors users make and the preventive measures you can — and should — take before they lead to real damage.
Human error #1. Falling for phishing
Phishing is when a scammer sends malicious emails that seem to be from a trusted source in order to induce victims to reveal personal information. According to the 2018 Verizon Data Breach Report, phishing and pretexting (presenting oneself as someone else in order to obtain private information) account for 93% of social breaches, and email is the most common attack vector (96%).
This mistake is more likely if a company tells employees about cyber security only at the time of hire, instead of establishing a security-centric culture. The choice of training is also important. I recommend steering clear of boring training classes; instead, use short, five-minute videos that recreate real-world situations that show how social engineering attacks work.
Of course, some people might still act irresponsibly when faced with an actual phishing email. According to 2018 Verizon Data Breach Report, 4% of people say clicking on a suspicious attachment is not a big deal. Therefore, a second useful tip is to run phishing simulation tests periodically to check whether the training was effective and employees follow your information security policies. You’ll identify the high-risk users who are more likely to click on malicious links, so you can work with them individually. Finally, you should implement anti-spam and email filtering tools to mitigate the risk even further.
Human error #2. Letting unauthorized users access corporate devices
According to Wombat’s 2018 User Risk Report, 55% of working adults allow friends and family members to access their employer-issued devices at home. This is another sign of poor cyber security awareness, since the friend or family member might access sensitive data like the organizations’ bank accounts or customer data. What’s worse, they might download malware that could get access to corporate data, cloud applications and storage.
One-time training at hire time is not sufficient to mitigate the risk of this human error. Instead, introduce a comprehensive information security plan that all employees must follow, and encourage team leaders enforce cybersecurity discipline within their teams.
Another important measure is to implement proper security controls on devices and systems. Ensure that all devices are password protected, and employ two-factor authentication to all corporate devices and applications if possible.
Human error #3. Poor user password practices
According to Wombat’s 2018 User Risk Report, 66% of respondents who do not use a password manager tool admit to reusing 60% passwords across online accounts. This is a very risky practice, because once one account is compromised, the attacker gets access to a wider variety of assets. Beyond password reuse, other password-related risks include using obvious passwords (e.g., 123abc, 1111), failing to update passwords regularly, storing passwords within reach of the computer, and sharing passwords with others. All of these poor password practices increase the risk of a breach for a company, because an attacker can more easily steal or crack passwords.
Holding training sessions dedicated solely to passwords practices is definitely worth doing. Also consider using supportive hints that are pushed to user screens when they log in — these tips can repeat key points emphasized in the training (e.g., “Never keep your password in a place that can be accessed or viewed by anyone besides yourself.”).
Another important measure is to use a password manager software application that generates and retrieves complex credentials and stores them in an encrypted database. In addition, consider using a password expiration tool that automatically reminds users to change their passwords before they expire, so you can require regular password changes without burying your helpdesk in calls to reset expired passwords.
Human error #4. Poorly managed high privileged accounts
IT pros can make mistakes, too, and such mistakes often cost companies a lot. Accounts with high privileges, such as admin accounts, are powerful, but security controls for preventing their misuse are often inadequate. The recent Netwrix 2018 IT Risks Report shows that only 38% of organizations update admin passwords once a quarter; the rest do it only once a year or even more rarely. If IT pros fail to update and secure the passwords to privileged accounts, attackers can crack them more easily and get access to the organization’s network. Then they can use the compromised admin credentials to bypass access controls on various resources or IT systems in order to access sensitive data.
A necessary preventive measure is to implement the least-privilege principle to all accounts and systems wherever possible. Instead of granting administrative rights to multiple accounts, elevate privileges on an as-needed basis for specific applications and tasks, only for the short period of time when they are needed. Two-factor authentication is also useful as an extra layer of protection. Finally, it is necessary to establish separate administrative and employee accounts for IT personnel; admin accounts should be used only to manage specific parts of the infrastructure.
Human error #5. Misdelivery
According to the 2018 Verizon Data Breach Report, misdelivery is the fourth most frequent action that results in data breaches. It is a common scenario for the healthcare industry in particular; there have been high-profile cases in which an employee sent an email containing PHI to the wrong recipients. Misdelivery accounts for around 62% of human error data breaches in healthcare.
This error is one of the hardest to avoid; however, here are some tips. Consider requiring encryption for all emails that contain sensitive information. In addition, employ pop-up boxes that remind senders to double check the email address when they’re emailing sensitive data. Another tip is to implement a data loss prevention (DLP) solution that monitors event that could lead to information leakage and automatically takes action, for example, by preventing users from sending sensitive data outside of the corporate network.
What if an error happens anyway?
The reality is that even if a company has superior cybersecurity defense, people still make mistakes. A sophisticated phishing attack might lead to malware being released in your network, an admin might grant someone excessive permissions, or some users might have their passwords cracked due to poor password practices. In fact, the Netwrix 2018 IT Risks Report found that 29% of organizations had to deal with human errors that resulted in data breaches over the last year.
Therefore, every organization should improve its detection capabilities so it can respond promptly to suspicious or improper events. For example, you need to quickly spot spikes in user activity, such as a large number of failed change or access attempts or suspiciously high number of file modifications, as well as unusual access to company’s sensitive data by a regular business user. To be able to proactively detect and respond to such suspicious activity, employ user behavior monitoring methods that enable you to track the activity of all users, including privileged ones.
According to the UK’s Information Commissioner’s Office (ICO), 88% of data breaches in the UK during the past two years were caused by human error, not hacker attacks. The number of reported incidents increased by 75% over that period, due at least in part to the introduction of the GDPR, which made breach notification mandatory.
It’s abundantly clear that poor cybersecurity awareness of employees has a negative impact on businesses. By taking cybersecurity seriously, you can minimize the risk of data breaches and the attendant damage. To achieve this goal, you should establish effective training programs for employees and implement technologies that enable you to secure your most sensitive data, no matter where it resides.