Four examples of human error in cybersecurity — and how to fix them
To err is human, as the saying goes, and cybercriminals take advantage of this most human trait. Human error is a contributing factor in a staggering 95% of cyberattacks, according to an IBM Threat Intelligence survey. And some industries, such as the financial sector, have a severe issue with human error: The Verizon 2021 Data Breach Investigation Report (DBIR) found that 55% of financial sector errors were due to the misdelivery of emails.
We are all human, but is there anything we can do to mitigate human error? Here are some examples of mistakes that lead to security incidents and how to prevent them.
Should you pay the ransom?
Oops, my mistake: some common human errors that lead to security incidents
Making a mistake is part of life, but sometimes these mistakes can negatively impact a company. Simple and avoidable errors have often resulted in data breaches and other cyberattacks.
1. Misdelivery of emails
Most of us have made this mistake. All it takes is an accidental “cc” of someone, a click on “reply all'' when it was meant to be a private reply or choosing a similar but incorrect name from the email list, and you have a misdelivery. Worst-case misdelivery scenarios include the loss of confidential company information that can lead to drops in share prices or the exposure of sensitive personally-identifying information (PII). In 2018, misdelivered emails affected 56,000 Californian patients when Dignity Health sent out the wrong emails to patients. There are countless examples of this type of data exposure.
How to stop misdelivery
Purandar Das, CEO and co-founder of Sotero, spoke about this issue on the CISO Series podcast. He told the audience how easily email misdelivery can happen when staff members are under pressure. The chance of misdelivery errors is compounded by the complexity and volume of data flowing between organizations and customers.
Das suggested that using automation technologies can help eliminate errors. He said, "Automation and intelligence need to be applied to security…giving people protection with day-to-day tasks. An example: Email filter in attachments can prevent the loss of sensitive information, e.g., a scan looking for social security numbers."
Companies can use technology such as data leak prevention (DLP) to provide this filter. DLP solutions filter certain words and phrases, and some advanced systems use machine learning to look for behavior patterns. The email is blocked from leaving the corporation if the DLP platform spots an issue. DLP is typically used alongside security awareness training of staff. Security awareness creates a security-first mindset in employees to make them aware of their role in protecting data.
2. Left on the printer
Cybersecurity isn't just about big hacks or massive ransomware attacks. It is also about accidentally exposing sensitive information. Unfortunately, the printer is often a forgotten part of cybersecurity culture. An example of printer-based data exposure comes from UK company Chubb. Chubb sent a single-page letter to its clients showing the recipient's name, address and policy document number. However, a printing error meant that the letter was printed double-sided, with each side containing a different customer's details. The company sent out the letters, and recipients could view another customer's sensitive and personal data.
How to stop print errors
A Quocirca Print Security Landscape 2022 analysis of the security situation in the print sector found that 68% of companies had suffered data loss because of print-related errors. A cloud-based print management solution can secure enterprise printing procedures to prevent errors like that experienced at Chubb.
The move to hybrid and home working has also created challenges in preventing print errors. However, managed print services designed with security in mind can mitigate the issues of home office working. Simple controls such as preventing the accidental sending of printouts to the wrong printer, for example, can stop the exposure of PII and protect sensitive company information.
3. Poor hygiene habits
Employees are tired of passwords — we all are! — but unfortunately, passwords are still a big part of app access. The workaround to password fatigue is to reuse or share passwords. A Google survey found that 62% of people reuse passwords, and 52% reuse those passwords across multiple accounts. A SurveyMonkey report found that 34% of employees share passwords with their coworkers. Poor security hygiene directly leads to account takeover and data exposure.
How to stop bad password practices
Multi-factor authentication (MFA) goes some way towards improving password security. However, MFA is not always supported; as an additional layer of protection to robust authentication options, a company should use security awareness training to educate employees on the danger of password sharing and password reuse.
4. Misconfiguration
Human error is as much a problem with the technical community as with the non-technical side. Security misconfiguration is one of OWASP's top ten web security issues. Many cyberattack tactics exploit misconfiguration vulnerabilities by using techniques such as code injection and buffer overflow attacks. It is easy to overlook an insecure configuration with many systems now exposed through APIs and cloud servers. Many of the world's highest-profile cyberattacks in recent years can be attributed to security misconfigurations. An example is a misconfigured Amazon AWS S3 Bucket under the management of Booz Allen Hamilton that led to the exposure of 60,000 Department of Defense files.
How to stop misconfiguration
Preventing misconfiguration is not a one-off fix. Setting up security options and ensuring that web servers and other components are hardened is part of the process. Using the principle of least privilege and allowing essential access only to those who must access these cloud network components is one way to prevent misconfigurations.
Security awareness training that targets roles in system admin is also essential to maintaining a security mindset.
ChatGPT training built for everyone
Conclusion
Humans will always make mistakes, especially when stressed and overworked. Managing cybersecurity risk is about building resilience across an organization, including its workforce. However, human error is one of the most challenging security areas to de-risk. There is no simple solution to preventing human error. Companies must invest in specific technologies such as DLP, but they must also shore up technology solutions with people and processes. Security awareness training and simulated phishing are ways to highlight where mistakes occur. Changing bad habits and teaching staff members to understand their roles in securing an enterprise are among the ways of making it less likely that someone will push the wrong email button or misconfigure a vital web component.
Resources:
- IBM Threat Intelligence
- Verizon 2021 Data Breach Investigation Report
- CISO Series podcast, "I Love Being Monitored Online," Said No Employee Ever
- Government Technology magazine
- Advanced Blog, Chubb interview
- Quocirca Print Security Landscape 2022
- OWASP Top Ten
- Cyberscoop, Booz Allen Hamilton leaves 60,000 unsecured DOD files on AWS server
- Infosec, The state of BEC in 2021 (and beyond)
ChatGPT training
In this Series
- Four examples of human error in cybersecurity — and how to fix them
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization