Read time: 8minutes, 32seconds
An attacker can use many high-level vulnerabilities to break into a system. According to a study by IBM, human mistakes are the leading cause of 95% of cyber security breaches. Data loss, misdelivery, and other human-related errors were listed among them. So, if we somehow eliminate these errors, 9.5 out of 10 cyber breaches may not have occurred.
What does Human Error mean in Cyber Security?
Why is Human Error so Dangerous?
A cybercriminal can manage to guess the password or use social engineering to get an employee to make some payment to a transaction site controlled by the criminal, if proper technical security measures are not taken care of (SSL Cert or good firewall).
What factors lead to Human error?
Error can occur when there is an opportunity for it. This process may seem apparent initially, but if more options are there for things to go wrong, the chances are that users may make a mistake.
- Lack of awareness
Most human errors result from users not knowing the right course of action. For example, users who aren’t aware of the risk of phishing are far more vulnerable to falling for phishing attacks, and someone who doesn’t know the risk of public Wi-Fi will quickly have their session hijacked or credentials stolen.
There are many environmental factors leading to human errors. The physical environment of a workplace can increase the number of mistakes. Culture also plays an important role here. An end-user will often know the right course of action, but they may fail to carry it out because there may be an easier way to do things or believe it is not essential. A culture where security is always left in the background will lead to more errors.
Few examples of Human Error
Sending some information to the wrong recipient is a pervasive threat to data security. One of the most severe data breaches was caused when an NHS practice revealed the email addresses (identity) of more than 800 patients who had visited HIV clinics. The employee sending those emails to HIV patients accidentally entered their email address into the “To” field rather than the “Bcc” field.
Cyber attackers are constantly looking for new exploits in the software technologies. So, when these exploits are discovered, the developers resolve them and send out the patch or updates to all the users before cybercriminals can attack. That is why it is essential to install the security updates at the earliest. In 2017, WannaCry ransomware affected many computers worldwide, damaging millions of dollars. Yet the exploit, dubbed ‘EternalBlue’, was patched by Microsoft months before the attacks.
- Password problems
This saying – “Humans and passwords simply don’t get along,” may be funny, but it’s valid to a certain extent. The National Centre for Cyber Security’s 2019 report showed an unfortunate truth, 123456 remains the most popular password globally, and 45% of people reuse the password of their primary email account on other services.
- Phishing attack
Sometimes, attackers might leave an external drive (like a USB drive) within the user’s or target’s reach. The user or target could connect this external drive to their system out of curiosity. And in this way, the attacker would be able to carry out a successful phishing attack. Thus, the user needs to be careful and think more than once before performing such actions.
Types of Human Error
- Skill-based error
These consists of small mistakes like slips and lapses while performing familiar tasks and activities. These may occur when an employee or a user is tired or not paying attention, is distracted, etc. Here, the end-user knows the correct approach but fails to do so by error or negligence.
- Decision-based error
These errors arise when a user makes a wrong decision, which may occur in either of the scenarios – the user not having required knowledge, not having enough information, or not realizing that they are leading to a decision from their action.
How do we prevent Human errors?
- Update corporate security policy
An organization’s security policy should clearly outline how to handle critical data (including passwords, too), who can access those, and what security software to use upon these data.
- Use the principle of least privilege
The most straightforward way to secure data access is to deny all access by default. Using Zero Trust security or network to design an IT system is a very secure approach where users and employees of an organization are authenticated, authorized, or continuously validated for security purposes. Privileged access can however be granted on a case basis. This way, organizations can prevent accidental data leaks.
- Offer regular training and personal development
Technology is in a state of constant advancement, so demands from clients and customers are also increasing. Training and opportunities to acquire new skills can help employees keep themselves up-to-date.
- Consider cloud storage and document management
Using the cloud to store the documents means that the files are backed up regularly, and more than one individual has access.