Security awareness

Human error is responsible for 74% of data breaches

Jeff Peters
November 30, 2023 by
Jeff Peters

The number of cybersecurity incidents and data breaches gets more alarming every year. Data from these breaches is incredibly valuable, whether sold directly on the black market or leveraged for extortion attempts. Breaches can also lead to ransomware attacks that can disrupt an organization for days — or even weeks.

Verizon’s 2023 Data Breach Investigations Report (DBIR) details examples of human errors that lead to data breaches. In fact, 74% of incidents include some human element, such as clicking on a phishing link. Whether it's a man-in-the-middle attack over Wi-Fi, a social engineering scam or something else, humans are inadvertently involved in most data breaches.

However, the good news is that organizations have the power to reduce the human risk related to potential data breaches. Security awareness training is one of the most effective ways to empower employees to recognize these threats — and help protect your organization.

Why human error is a major risk factor

Technology alone will not keep your organization safe. Humans are the backbone of any organization, but they are not cybersecurity experts by nature.

Employees can accidentally expose data in many ways, such as incorrect sharing settings, falling for a phishing scam or connecting to unsecured Wi-Fi. With the rise of remote work, employees are no longer physically protected by the constraints of the office, so they may inadvertently let their guard down, which could lead to an unfortunate data breach.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Types of data breaches

While human security breaches can be incredibly damaging, most threat actors are accessing an organization's data through stolen credentials, phishing and exploiting vulnerabilities.

Human error

Human error is the biggest contributor to any data breach. Nearly three out of four incidents involved a human element like error, privilege misuse, stolen credentials or social engineering. For example, digital risk protection firm DarkBeam inadvertently exposed billions of email and password combinations due to an unprotected database interface.

Privilege misuse

Privilege misuse is often a more purposeful type of data breach caused by insider employees. A famous example is Edward Snowden, a whistle-blower who leaked classified NSA surveillance details to the media in 2013. However, privilege misuse can also happen on a much smaller scale. It can also mean sensitive data is sent to a personal email or a computer — or that a staff member tries to access a system they don't have authorization to use.

Stolen credentials

Stolen credentials are the most sought-after type of data. Once a malicious actor has access to login information, they can use that access to spread malware, ransomware or another type of virus. Cybercriminals can access this login information through vulnerabilities in your systems architecture or a team member inadvertently typing in passwords on a fake website. For example, criminals used a stolen credential to infiltrate Okta's support management system to view files uploaded by customers for support.

Social engineering

Social engineering is often an umbrella term encompassing all the techniques to target individuals to reveal specific information, including credentials or privileged information. Social engineering attacks aim to access an organization's files, applications and network infrastructure by using psychological human weaknesses to trick employees into revealing valuable information.

According to Verizon's research, one particular type of social engineering attack — business email compromise (BEC) — doubled within the last few years. It now represents more than 50% of pretexting attacks. In this type of social engineering scam, fraudsters insert themselves into an existing email thread with a request that appears legitimate.

BEC attacks are more dangerous than a typical phishing attack in a few ways; first, they don't contain malware or malicious email attachments, so they might be overlooked by automated inbox detection. They also target specific individuals with highly personalized information and leverage the concepts of secrecy, urgency and authority to get an employee to take action.

Consequences of data breaches

Organizations face a variety of consequences after a data breach, from negative brand perception from news headlines to the financial impact of paying staff (or third-party vendors) to remediate the situation.

Lost customer trust

Privacy and security matter to the modern-day consumer, and businesses that breach this trust suffer the consequences. Research has found that nearly half of consumers say they lost trust in a brand that experienced a data breach. Not only does a cyber incident impact the acquisition of customers, but it can lead to increased current customer churn as well.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Regulatory fines

After a data breach, if your business is found to be out of compliance with regulations like GDPR, CCPA, HIPPA or PCI, you could pay a hefty fine. The largest data breach sign of all time was from a Chinese technology company that paid $1.19 billion after it violated the nation's network security law, followed by Amazon, which was fined $877 million for GDPR violations.

Ransoms

Ransomware makes up 24% of data breaches, and even if your business pays a ransom to cybercriminals to unlock your company's data, you might not get your data returned to you. For example, Caesars Palace in Las Vegas paid a $15 million ransom to an organized crime group in an effort to return to business as usual after an attack.

Downtime

In the event of a data breach, your systems might be offline for days or even weeks. The average cost of a single minute of downtime is $5,600, and this price increases with your organization's size. Not only does downtime cost money, but it also produces losses in productivity and efficiency for your employees.

How to reduce human error

The good news is that there are proven steps to help organizations reduce types of human error.

man training a coworker on security awareness

Employee security awareness training

One of the best ways to protect your organization is to thoroughly educate employees on the cyber threats they might encounter. Not only does cybersecurity awareness training help prevent innocent errors, but it also helps staff members become more proactive. Properly trained team members can play a critical role in your organization's defense.

However, it’s important that employee security awareness training educates team members in a way that is relevant to their role. For example, the financial department might need to be trained against different cyber threats than the marketing department.

Multi-factor authentication

With multi-factor authentication, there is an additional layer of security built into the process. This extra layer of security prevents threat actors from infiltrating systems. If someone’s credentials are compromised, threat actors may still not be able to access those systems as another factor is needed, such as an authentication code.

Build a culture of security

Building a security culture that invites employees into the cybersecurity process is critical. While innovative technology can support automated threat monitoring, the best way to prevent human error is to empower those humans who are inadvertently a part of so many data breaches.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Want more tips for empowering your employees and keeping your organization secure? Speak to someone at Infosec about industry- and role-based cybersecurity awareness training.

Jeff Peters
Jeff Peters

Jeff Peters is a communications professional with more than a decade of experience creating cybersecurity-related content. As the Director of Content and Brand Marketing at Infosec, he oversees the Infosec Resources website, the Cyber Work Podcast and Cyber Work Hacks series, and a variety of other content aimed at answering security awareness and technical cybersecurity training questions. His focus is on developing materials to help cybersecurity practitioners and leaders improve their skills, level up their careers and build stronger teams.