The weakest link in an organizational security is the human factor and not technology. Every employee needs to be aware of his or her role when it comes to security. A security culture is required for humans and not for computers. The computers do exactly what we tell them to do. The challenge is with the humans who click on things they receive in email and believe what anyone tells them. The humans need a framework to understand what the right thing is for security. They want to do the right thing…they just need to be taught. There’s not a single person alive who never makes mistakes. In fact, making mistakes is a core part of human experience – it is how we grow and learn. Yet, in cyber security, human mistakes are far too often overlooked. According to a study by IBM, human error is the main cause of 95% of cyber security breaches. In other words, if human error was eliminated entirely then 19 out of 20 cyber breaches may not have occurred at all.
In a security context, human error means unintentional actions or lack of action by employees and users that cause, spread or allow a security breach to take place. This encompasses a vast range of actions like downloading a malware infected attachment to failing to use a strong password. With our ever more advanced and complicated environments, we have an increasing number of tools and services that we use which makes our task to secure things even more challenging.
Research has shown that businesses are at a very real danger of threat from within. They are aware of how easy it is for employee or human error to impact a company’s security with careless or uninformed staff from being the second most likely cause of a serious security breach and they are searching for a way to mitigate the risk. Staff can become attack vendors in many forms they can be careless, uninformed or actions may be malicious. Threats such as phishing and social engineering also put businesses more at risk from staff as they do not know how to spot the difference between legitimate and malicious activity.
- What are the factors that cause these errors?
- Opportunity – The more opportunities there are for something to go wrong, the higher the chance that a mistake will be made.
- Environment – The physical environment greatly contributes to the errors that a person makes. Factors like noise, privacy all contribute to a mistake-prone environment.
- Lack of awareness – Proper training must be provided by the organization making employees aware of the ill-effects of clicking on an unknown link and phishing attacks. And also the caution they need to take while using a public Wi-Fi to safeguard their credentials.
- Types of Human Errors:
Though the errors that a human can make are infinite still we can broadly classify them as SKILL BASED and DECISION BASED.
-SKILL BASED ERRORS – consists of small lapses that occur when performing familiar tasks and activities. The end-user knows the correct course of action but fails to do so due to a temporary lapse/mistake or negligence due to being tired or distracted.
-DECISION BASED ERRORS – These occur when a user makes a faulty decision like clicking on a link or finding a fake email trustworthy and falling into its trap.
Thus, an effective training and a conducive environment can somewhat help in reduction of human errors. The mitigation of human error has to come from two angles – reducing opportunity and educating users. The less opportunities there are for error, the less your users will be tested for their knowledge and the more that users have, the less likely they are to make a mistake.
How can you prevent human error in your business?
- Reduce the opportunities
Changing the work practices, routines and technologies systematically reduce the opportunity for error. This helps to mitigate human error opportunities.
- Privilege control
Ensure that users only have access to the data and functionality that they need to perform their roles.
Educate the users to use strong passwords to gain access to the organizational network and allow usage of only registered users.
- Use a strong security plan
Involve the staff to create a holistic security program and make the users aware of what they should and should not do according to the security plan that is also compliant to the standard regulations.
- Encrypt your data and create backups Use end to end encryption to prevent any data breach or loss.
- Conduct regular employee training
By doing this staff will be aware that will reduce phishing /ransomware and malware attacks.
- Keep systems and software updated
- Assess and monitor vendors
This is an easy mode of getting entry into the organizational setup. Hence, third party vendors too must be monitored and tracked to avoid data breach from that mode.
So, can you suggest something that helps to reduce threats due to employee negligence?
- Yes, surely! We have inDefend a product of Data Resolve Technology. India’s leading threat Management Company that has come up with a business suite that helps you to secure your data and also monitors your employees irrespective of the strength of the organization and also regardless of whether they are in office or working remotely.
- They also offer third party/ vendor control.
- All the sensitive data is identified and a shield is created around it. Limited employees are given permission to access that data and for that too a log is maintained that keeps a record of all outbound data.
- Access to server is restricted. A shadow log of all activity is maintained.
- Real time alerts are sent out in case of any probability of data loss.
- Only registered devices are allowed access. So, only authenticated devices gain access to the organizational network. This helps to tackle BYOD as well.
- Data is encrypted from end to end so data at rest or in transit is secured.
- There is enforced encryption of data that is copied to any USB device.
- Access to internet is restricted and only those employees are allowed access who need it for their work according to their role in the organization. This leads to reduced phishing/ransomware and malware attacks.
- Application Sandboxing is applied that blocks access to Social Media, Shopping and Entertainment sites.
- Employees are monitored closely. A record of all their activity is maintained with the facility of screenshot. All inbound and outbound data is logged. This helps to hold them accountable in case of need.
Thus, timely, take the right step forward…despite the evident challenges, businesses are trying to solve the issue of the risk from within. Invest in a good data loss prevention programme. Training personnel and bringing more dedicated staff on board will help to enforce security policies and this is a legal answer to the problem of employee carelessness. Staff training is most essential in raising awareness among personnel and motivating them to pay attention to cyber threats and countermeasures and also in acquainting them to the security program…All the best!
The Author is
Dhruv Khanna, CEO, Data Resolve Technologies Pvt. Ltd