The end-users have been shown to be a significant source of vulnerabilities.All types and levels of users (the top-level executives, business partners and any person with access credentials to an organization’s network) are susceptible to costly errors that may result in data breach or financial crimes.Furthermore, these errors cause significant and persistent risks to the privacy and security of both the individual and the enterprise.
The 2017 Cost of Data Breach Study reinforces that human error is a major cause of security breaches. The study indicates that the three main causes of a data breach are malicious or criminal attack, system glitch and human error. With respect to human error, 25 percent, on average, were due to negligent employees or contractors, according to the report. This weak link in an organization’s security profile can result in significant losses. The study further states that human error or negligence averaged approximately $126 per compromised record.These errors can result in significant investment and time to identify and contain the breach (168 and 54 days, respectively). For a medium sized business, 5000 compromised records translate to more than 0.6 million dollars and close to a year to identify and contain the loss of sensitive data.
The cybersecurity landscape also exposed numerous global examples of security breaches because of human errors. These security breaches, as indicated in Table 1 include:
- the well-publicized phishing scams at Sony, eBay and Snapchat;
- the loss of sensitive data of the UK’s Her Majesty’s (HM)Revenue and Customsvia the post; and
- the stolen credentials used to breach the JP Morgan Chase’s network.
The source of the human error may be traced to seemingly innocuous behavior such as clicking on a link in an email from a trusted source. Other examples of human error that may result in security breaches include:
- connecting unknown devices or infected personal devices onto the organization’s network;
- sharing passwords or leaving them in an easily accessible area;
- sending sensitive data outside the organization, through emails or mobile devices;
- negligence or error in performing security updates or patches;
- employing unsafe practices to use or share personal data of employees or customers, such as sending data via the post;
- utilizing loose security controls in protecting a company’s devices off-site, which can result in these devices being lost or stolen.
Table 1: Instances of security breaches as a result of human error
|Targeted network||Method of attack||Impact|
|Snapchat (February 2016)||Phishing attackwhere criminal posing CEO sent email to payroll department||Compromised personal data of employees|
|HM Revenue & Customs (2007)||Lost or stolen device (password protected digital disks mailed but never arrived)||Compromised personal data of 25 million individuals, including dates of birth, addresses, bank accounts and national insurance numbers|
|eBay (2014)||Phishing attack to steal credentials of employees||Resulted in exfiltration of personal data (names, passwords, emails, physical addresses, etc) of 145 million customers|
|Sony (2014)||Phishing attack on top executives||Resulted inapproximately 100TB of data theft|
|JP Morgan (2014)||Stolen log-in credential and employee negligence/error in forgetting to implement two-step verification on one of the network servers.||Compromised sensitive financial information of 76 million households and 7 million small businesses|
Based on the costly impact of human errors, it is imperative that organizations take a proactive stance to stem the likelihood of this risk. Different methods may be employed to minimize the associated risks of users and human errors in managing organizational security. These methods should not be one-time effort and may be used in concert with other methods to achieve optimal results:
- Security awareness and training. One of the most common method used facilitates security training to support new users, refresher programs, and awareness of new security trends and developments;
- Application of full cycle simulation of risk events including phishing;
- Use of encrypted devices and portables;
- Adoption of data loss prevention technologies;
- Implementation of viable identity management and access rights and privileges.
Wilson Consulting Group (WCG) provides a suite of services that can help to empower your staff and identify areas of vulnerabilities. WCG’s experienced team offers both comprehensive cybersecurity training and specialized professional development to equip your staff with the very best cybersecurity skill-set. Our training and development programs are designed to empower your employees with the skills necessary to identify and prevent cyber threats and to reduce human errors and negligence. WCG will also support you in developing your comprehensive enterprise security strategy and assist in strengthening your risk management posture.
2017 Ponemon Institute’s 2017 Cost of Data Breach Study