Four examples of human error in cybersecurity — and how to fix them
To err is human, as the saying goes, and cybercriminals take advantage of this most human trait. Human error is a contributing factor in a staggering 95% of cyberattacks, according to an IBM Threat Intelligence survey. And some industries, such as the financial sector, have a severe issue with human error: The Verizon 2021 Data Breach Investigation Report (DBIR) found that 55% of financial sector errors were due to the misdelivery of emails.
We are all human, but is there anything we can do to mitigate human error? Here are some examples of mistakes that lead to security incidents and how to prevent them.
Phishing simulations & training
Oops, my mistake: some common human errors that lead to security incidents
Making a mistake is part of life, but sometimes these mistakes can negatively impact a company. Simple and avoidable errors have often resulted in data breaches and other cyberattacks.
1. Misdelivery of emails
Most of us have made this mistake. All it takes is an accidental “cc” of someone, a click on “reply all'' when it was meant to be a private reply or choosing a similar but incorrect name from the email list, and you have a misdelivery. Worst-case misdelivery scenarios include the loss of confidential company information that can lead to drops in share prices or the exposure of sensitive personally-identifying information (PII). In 2018, misdelivered emails affected 56,000 Californian patients when Dignity Health sent out the wrong emails to patients. There are countless examples of this type of data exposure.
How to stop misdelivery
Purandar Das, CEO and co-founder of Sotero, spoke about this issue on the CISO Series podcast. He told the audience how easily email misdelivery can happen when staff members are under pressure. The chance of misdelivery errors is compounded by the complexity and volume of data flowing between organizations and customers.
Das suggested that using automation technologies can help eliminate errors. He said, "Automation and intelligence need to be applied to security…giving people protection with day-to-day tasks. An example: Email filter in attachments can prevent the loss of sensitive information, e.g., a scan looking for social security numbers."
Companies can use technology such as data leak prevention (DLP) to provide this filter. DLP solutions filter certain words and phrases, and some advanced systems use machine learning to look for behavior patterns. The email is blocked from leaving the corporation if the DLP platform spots an issue. DLP is typically used alongside security awareness training of staff. Security awareness creates a security-first mindset in employees to make them aware of their role in protecting data.
2. Left on the printer
Cybersecurity isn't just about big hacks or massive ransomware attacks. It is also about accidentally exposing sensitive information. Unfortunately, the printer is often a forgotten part of cybersecurity culture. An example of printer-based data exposure comes from UK company Chubb. Chubb sent a single-page letter to its clients showing the recipient's name, address and policy document number. However, a printing error meant that the letter was printed double-sided, with each side containing a different customer's details. The company sent out the letters, and recipients could view another customer's sensitive and personal data.
How to stop print errors
A Quocirca Print Security Landscape 2022 analysis of the security situation in the print sector found that 68% of companies had suffered data loss because of print-related errors. A cloud-based print management solution can secure enterprise printing procedures to prevent errors like that experienced at Chubb.
The move to hybrid and home working has also created challenges in preventing print errors. However, managed print services designed with security in mind can mitigate the issues of home office working. Simple controls such as preventing the accidental sending of printouts to the wrong printer, for example, can stop the exposure of PII and protect sensitive company information.
3. Poor hygiene habits
Employees are tired of passwords — we all are! — but unfortunately, passwords are still a big part of app access. The workaround to password fatigue is to reuse or share passwords. A Google survey found that 62% of people reuse passwords, and 52% reuse those passwords across multiple accounts. A SurveyMonkey report found that 34% of employees share passwords with their coworkers. Poor security hygiene directly leads to account takeover and data exposure.
How to stop bad password practices
Multi-factor authentication (MFA) goes some way towards improving password security. However, MFA is not always supported; as an additional layer of protection to robust authentication options, a company should use security awareness training to educate employees on the danger of password sharing and password reuse.
4. Misconfiguration
Human error is as much a problem with the technical community as with the non-technical side. Security misconfiguration is one of OWASP's top ten web security issues. Many cyberattack tactics exploit misconfiguration vulnerabilities by using techniques such as code injection and buffer overflow attacks. It is easy to overlook an insecure configuration with many systems now exposed through APIs and cloud servers. Many of the world's highest-profile cyberattacks in recent years can be attributed to security misconfigurations. An example is a misconfigured Amazon AWS S3 Bucket under the management of Booz Allen Hamilton that led to the exposure of 60,000 Department of Defense files.
How to stop misconfiguration
Preventing misconfiguration is not a one-off fix. Setting up security options and ensuring that web servers and other components are hardened is part of the process. Using the principle of least privilege and allowing essential access only to those who must access these cloud network components is one way to prevent misconfigurations.
Security awareness training that targets roles in system admin is also essential to maintaining a security mindset.
ChatGPT training built for everyone
Conclusion
Humans will always make mistakes, especially when stressed and overworked. Managing cybersecurity risk is about building resilience across an organization, including its workforce. However, human error is one of the most challenging security areas to de-risk. There is no simple solution to preventing human error. Companies must invest in specific technologies such as DLP, but they must also shore up technology solutions with people and processes. Security awareness training and simulated phishing are ways to highlight where mistakes occur. Changing bad habits and teaching staff members to understand their roles in securing an enterprise are among the ways of making it less likely that someone will push the wrong email button or misconfigure a vital web component.
Resources:
- IBM Threat Intelligence
- Verizon 2021 Data Breach Investigation Report
- CISO Series podcast, "I Love Being Monitored Online," Said No Employee Ever
- Government Technology magazine
- Advanced Blog, Chubb interview
- Quocirca Print Security Landscape 2022
- OWASP Top Ten
- Cyberscoop, Booz Allen Hamilton leaves 60,000 unsecured DOD files on AWS server
- Infosec, The state of BEC in 2021 (and beyond)