Reducing human error is essential for any business looking to create a robust defence against cyber threats.
Human error is the single main cause of cyber security breaches and is responsible for 95% of all breaches, according to a study by IBM.
Human error in cyber security includes a wide range of actions and inaction that can leave the doors open for hackers, cybercriminals and other malicious actors in cyberspace.
Anything from neglecting to have a good password, accidentally installing a virus from a suspect email or letting the wrong person into the office can fall into this category of human error. This means it is quite a broad area to cover and can be quite difficult to completely eliminate.
However, there are specific actions that can be taken to reduce the risk and the flip side of the earlier statistic means that 95% of data breaches can be prevented if human error is eliminated.
The difference between decision-based and skill-based errors in cyber security
Human error in cyber security falls into two distinct categories— decision-based errors and skill-based errors
Decision-based errors are where the staff members make the wrong choice that can lead to a security breach. This may be because they do not have adequate levels of cyber security awareness training, do not have enough information at the time to make an informed decision, or as in most cases, do not realise they are actually taking a decision through inaction. For example, neglecting to deal with a suspicious email.
Skill-based errors are where the staff member knows the correct procedure but through lack of concentration, tiredness or a lapse in memory, they fail to carry out the required action. A good example of this would be in misdelivery.
What is misdelivery in terms of cyber security?
Misdelivery is a common issue in terms of cyber security and according to a study from Verizon data breach report in 2018 was the fifth most common cause of all data breaches.
Misdelivery refers to the act of sending details to the wrong recipient. This is quite easily done these days, especially with features such as auto fill on email addresses – sometimes the incorrect recipient is automatically placed into the address field where the email is being sent to and takes a conscious action from the sender to spot this and delete it.
A similar issue occurred within the NHS where 800 patients who had visited HIV clinics had their email addresses and names revealed simply because the staff member put their addresses in the “to” field rather than the “bcc” field that would have kept their identities private.
Common physical security errors
Physical security errors come in a variety of flavours, but one of the most frequent is leaving important data unattended on desktops, in meeting rooms or even just sitting in the printer tray waiting to be taken.
Even things such as leaving work premises unsecured or neglecting to lock the doors could count as a physical security error.
Tailgating is a common form of physical security breach, where the malicious actor or cyber-criminal gains entry simply by following someone through a secure door or barrier.
Most of the time people don’t want to seem rude or impolite and will not challenge individuals in this circumstance. However, through their inaction, they are taking an active decision that could lead to a data breach and this would be classed as a decision-based human error.
What’s the Password? Probably 123456 or password1
A recent study from the National Centre for Cyber Security in 2019 showed that weak passwords are commonplace across the board.
- 123456 is still the most popular password in the world
- 45% of users have their main email account password used on other services
- Other common password mistakes include attaching passwords to monitors with post-it notes or leaving them written down on notepads on the desk and sharing them with colleagues
How to prevent human error in cyber security
Human error in cyber security covers a broad area of competency and, for that reason, can be difficult to effectively manage the risk associated with this most common starting point for any data breach.
However, the causes of human error-related data breaches can be easily identified and therefore can be addressed individually. As long as the procedure is upheld and no mistakes are made, a company can tighten up their cyber security by 95% if they can effectively eliminate this main risk to their data security.
Whilst it may not be possible to completely eliminate the risk of human error there are certain steps businesses can take to effectively mitigate this risk.
Cyber security awareness training provides effective groundwork and framework for employees to operate in
One of the most effective ways to mitigate the risk of human error is to invest in professional cyber security awareness training from experts in the field.
One thing you definitely don’t need however is reams of extensive information and hours on end of training material that is going to bore your staff to sleep. People have a very limited attention span and swamping them with information about security protocols may mean that very little is remembered or taken onboard.
At Lyon, we provide interactive security awareness training that fits around the schedule and the needs of the business.
We provide both online and offline training sessions that can be carried out remotely or on-site with in-person and one-on-one training courses that are highly engaging and cover various levels from awareness, application and courseware.
Penetration testing from ‘Ethical Hackers’ to test lapses and human errors being carried out by staff members
Even the most robust security system in the world can easily fall prey to hackers if essentially a back door is left open, either figuratively or literally just leaving the door open for cyber criminals to walk in.
Most people when they think of white hat hackers or penetration testers will imagine something a bit like Sandra Bullock in The Net—hacking mainframes and gaining access, although many of their approaches are based around personnel and their actions, perfectly emulating the methods used by real hackers to highlight physical security issues and any risks associated with human error.
At Lyon we can deploy expert penetration testers that can test every facet of security and every entry point into your business, ensuring you have the most robust setup possible with nothing being overlooked.
The penetration testers will not only check online access through your digital systems but also find routes into your business that a hacker would find that are borne out of human error.
How would penetration testers highlight human error?
Examples of expert ethical hackers probing a potential business for errors include
- Attempting to physically gain access to premises by posing as staff and tailgating them through security barriers and doors
- Contacting staff members claiming to be calling from an internal help team and requiring details for maintenance purposes such as usernames or other sensitive data which would then be used to simulate a cyber attack
- Similarly, contacting staff members through false credentials and gaining remote access to their machines, thereby allowing the unauthorised person to have direct access to the business network and files
Contact Lyon to secure your business today
Human error is a key component of cyber security and leads to the majority of data breaches. This means any business can tighten up its cyber security with staff awareness training, penetration testing, operation monitoring, and vulnerability management.
For more information on how we can help with expert cyber security services, get in touch via email or phone and see how we can help secure your business today and reduce the risk of human errors in cyber security.