Your Security is only as Strong as its Weakest Link – Unfortunately that’s Probably Your Employees
In our previous blog, we looked at the role human error played in email phishing scams and how teaching employees to identify the common signs of these emails is a simple way to reduce security breaches. This time we will be looking at human error and security in a wider context; what are the causes of security breaches, what part does human error play and how can organisations proactively address these threats.
What are the causes of security breaches?
The 2015 PWC Information Security Breaches Report surveyed over 600 large and small businesses on a number of aspects of their data security, including what type of breaches they had suffered over the last 12 months. ‘Viruses or malicious software’ was the leading cause of incidents in both large and small businesses, with 84% and 63%, respectively, being recorded as such. ‘Incidents caused by staff’ was second (81% and 27%), with the other leading causes being ‘theft or fraud’ (55% and 6%) and ‘attacks by unauthorised outsider’ (70% and 35%), which includes phishing attacks, identity theft and denial of service attacks.
What part does human error play?
A similar report carried out by global law firm BakerHostetler concurred with the PWC report in that infection by malicious software was the leading cause of security breaches. Digging deeper into what allowed these infections to happen, we find that human error often played a part. Phishing emails, are the go-to method for attackers, because they are a low cost, highly effective way to bypass a company’s security. However, phishing emails are not the only initial vector that can be traced back to human error; lack of effective patching, failure to follow correct processes and lack of security resources are all identified as causes of these types of security incidents.
Within the ‘theft’ category many incidents can also be traced to human error, such as devices being left in unlocked cars, on public transport or in other unsecure locations. Other areas of human error which the two reports highlighted were: employees accessing files or folders not related to their jobs, sending of sensitive information to the wrong party or ineffective disposal of sensitive information.
Finally, be aware that the error may not be on the part of the person directly ‘responsible’ for the attack i.e. access not being removed on an employee’s termination or reassignment.
Considering the role human error plays in all the categories mentioned above, it is a far more prevalent factor than first thought.
How can organisation proactively address these threats?
Organisations need to ensure consideration is paid to the human component of any security strategy, or risk negating the defence technologies they invest in. So what can they do? There are a number of technical, administrative and procedural safeguards that they can implement:
- Many of the standard errors that occur such as; not properly wiping devices or not effectively disposing of sensitive documentation, can easily be addressed by implementing a structured training program. Training should be carried out during an employee’s induction and at least once a year thereafter. These programs should be continually updated and reviewed to take into account new threats and internal changes that may have occurred.
- Increased development of mobile devices has naturally led to more information being stored on them and thus the consequences of a potential theft are increased. Also, most data breach notification laws provide a ‘safe harbour’ against compulsory notification if encryption protection has been put in place. Therefore, organisations should take steps to encrypt any device that may contain sensitive information.
- Many industry regulatory bodies have begun to speak about the need for data encryption. For example the HMRC, who have encourage accountants to step up secure data transfer channels between the accountant and their clients.
- Organisations can reduce the likelihood of human error by implementing a file and folder permission hierarchy. Give users only the minimum access to the data needed to perform their job, and should they need access to anything beyond this, restrict the time they are allowed to access the data. This is a tried and tested method, but over time companies fail to remain diligent as new employees start and roles change over time.