It’s 9 am on a busy Monday morning and you turn on your computer, ready to plough through the mountain of emails in your inbox, the first of which appears to be an email from Microsoft warning you that your passwords are supposedly about to expire. “CLICK HERE to verify your account,” the email says. Without a second thought, you click the link which then asks you to input your login credentials to verify your account. And you do, because – why wouldn’t you? Your entire department relies on Microsoft 365 for daily activities from Outlook calendar meetings to email, even tasks, and SharePoint. Naturally, you don’t want to lose access. Moments later, phone calls from members of your company’s IT team ensue with a barrage of questions. Why? Because without knowing it, you unintentionally gave hackers a foothold into your company’s network, and depending on your role and level of access to other documents this could have major implications.
Believe it or not, phishing attacks like the one described above are common. So common that it’s one of the most common and second-costliest types of breaches caused by human error. If you ask most security experts, they’ll tell you that their efforts are often thwarted by human error. That’s right, humans continue to be the chink in the armour of cybersecurity around the world. In 2021, scores of major companies fell victim to major data breaches caused by human error with each breach costing companies millions. An IBM study on the impact and causes of data breaches places human error at the top of the list with as many as 95% of breaches being caused by human error.
According to statistics published by Statista Research Department, Chief Information Security Officers (CISOs) around the world overwhelmingly agree that human error is their organization's biggest cyber vulnerability as of 2021, with the global average standing at around 58%.
In the realm of information security, human error failures generally fall into two categories: skill-based errors and decision-based errors. For example, system misconfigurations, poor patch management, and poor access management protocols would fall under skill-based errors while poor password management, clicking unsafe URLs and attachments, lost devices or email miss-delivery would fall under decision-based errors.
In its 2021 report on the cost of data breaches, IBM found that the most common initial attack vector targeted human employees. Compromised credentials accounted for 20% of breaches, phishing made up 17%, while cloud misconfiguration accounted for 15% of breaches, valued at a combined total cost of $12.83 million USD. However, while only accounting for 4% of breaches, business email compromise cost companies the most money with an average cost of $5.01 million USD. Overall, the report estimated that the average cost of a ransomware breach hovered at $4.26 million USD. In low compliance environments, the cost of a human error data breach was estimated to be $2.3 million USD higher than in environments where good cyber hygiene practices were observed. In cases where employees worked remotely, the dollar figure associated with data breaches jumped to $5.54 million USD.
Not only do breaches cost companies financially, but operational downtime brought on by a major leak of sensitive data can shake customer confidence and open your organization up to legal action and customer confidence damaging your reputation. According to research from international audit firm Price Waterhouse Coopers, 85% of customers say they will not do business with a company if they are worried about its data practices. This is a clear reminder that organizations can be impacted by customer perceptions and shows that data breaches can have long-term impacts.
The question is, how do you ‘patch’ human behaviour? There are several strategies that your organization can choose to employ. But let’s start at the beginning. To properly gauge the true cost of human error we must first define what it is. Human Error is an unintentional action that results in a failure to complete a task successfully.
So, how can your organization mitigate one? The steps will vary depending on your organizational needs, but general steps should include introducing automated safeguards, education and awareness campaigns, and strong internal controls like audits or system monitoring for your entire organization.
If that sounds overwhelming, here are a few ways you can help create a stronger security mindset and prevent costly human errors from impacting your organization.
Strong identity access management protocols can play a key role in preventing breaches by using the principle of ‘least privilege’. Doing so gives your employees enough access to meet the needs of their required roles but no more than necessary. This prevents workers from accidentally deleting or corrupting files they should never have had access to in the first place. A zero-trust approach. Using multi-factor authentication methods to improve password management is also another way to ensure that access is granted on a need-to-know basis.
Insist on Stringent Cyber-hygiene
Are your company’s work devices equipped with the right software and security updates? They should be. All employees – including remote workers – need to have updated software on their devices and ensure that all available security features are enabled. Ransomware hackers are notorious for exploiting expired security patches to gain access to a company’s sensitive information. Patch, patch, patch!
Encourage Good Data Backup Behavior
In the age of remote work, managing and storing data has become more challenging but even more important. Companies should seek out an MSP to back up their data regularly. If your data is being stored locally, insist that it also be backed up to the cloud. If it’s in one place – it doesn’t exist.
Your employees do not have to be your weakest link. By implementing some of these controls you can avert disaster and avoid the true, albeit unintentional, cost of human error. You also don’t have to do it alone. Partnering with a managed services provider means you can focus on what really matters in your day-to-day business.