It seems staggering – considering the ubiquity of technology – that human error is the biggest cause of cyber breaches. Ignorance to cyber threats are increasingly being consigned to the parts of society who are less likely to be aware of threats.
Specifically, the over 70s and children. This is either because they didn’t grow up with technology or their interaction with technology is usually in a controlled environment.
In the interests of fairness, the proportion of breaches due to human error varies depending on which report you read. Some claim it’s as low as 25%, others 52%.
In the US it’s believed to be the biggest single cause of cyber security breaches. Although with 38% of attacks targeted at the US (compared to second place India’s 17%) it’s not entirely surprising.
Be it 25% or 52% or some number in between, the fact remains that users are putting their data and that of their businesses at risk due to lackadaisical security practices or a general lack of knowledge in the first place.
Even though the UK doesn’t come close to the top 10 most targeted countries for cyber-attacks, does not mean – by any measure – we are magically immune.
If anything, it has given us a false sense of security with the UK consistently underspending despite the steady increase in attacks.
Lack of training is usually the leading cause of all human errors so why do only 42% of businesses (according to Osterman Research) provide adequate training for their staff?
Phishing attacks have been around for decades and – despite every attempt – email providers still let the odd one or two slip through the net.
Admittedly, the emails (and now messages) have grown more sophisticated. Phishing scams have evolved from ropey plain text emails asking users to click on obviously shady links. Now they mirror wording, branding and formatting of the company the hackers are attempting to mimic.
All to capture login information from users.
There are usually still tell-tale signs but to the ill informed or unwary it’s easy for a wayward click to occur. In short, the criminals are getting smarter and users – quite simply – aren’t.
Of the 93% of social engineering related breaches 96% of them happen via email. When you consider that only 4% of users will click on an attachment whether it looks suspicious or not, there is a serious education issue. Especially in the workplace.
Mistakes in the workplace are significantly greater in organisations that only warn employees to the dangers of phishing attacks when they join the organisation. Rather than making it an on going issue to be aware of.
Moreover many – if not most – of us receive dozens of emails a day from suppliers, clients or companies who want to be a supplier or client.
That means a host of emails, of which look different and none of which look necessarily suspicious. If a hacker were to identify who your business deals with, they have a strong line of attack as they can tailor those phishing emails accordingly.
If employees aren’t given regular refresher courses in online safety, it would be all too easy for them to open an email they shouldn’t or click on a malicious attachment.
Poor User Practices
Although this may seem like an exceedingly broad church, day to day bad practice can lead individual computers vulnerable to attacks, thus exposing the wider network.
Updates are an inconvenience because it usually requires you to close your browser or – even worse – restart your computer. Costing you valuable seconds or minutes of your day.
However, closing your browser and allowing your PC to install operating system and virus protection updates helps maintain security. Yes, closing your twenty tabs is an irritation and you don’t want to bookmark pages you’re only using for a couple of days. But it’s considerably less effort than learning you were the cause of a data breach that shuttered the company.
Similarly, a high proportion of users reuse passwords across multiple accounts meaning if a hacker cracks one then they can gain access to multiple accounts. Other bad habits are using simple passwords or not changing passwords every two or three months.
It’s important to note – however – that the average user isn’t the only one responsible for data breaches. Poorly managed high privilege accounts – such as admins – can leave networking vulnerable. Research suggests that 38% of admins change their passwords once a quarter, the other 62% change them less frequently than that.
IT managers, heads of IT and equivalent are targets for attacks so when they fail to follow their own advice, they are putting the entire organisation at risk.
This is the metaphorical equivalent of giving the keys to kingdom to someone prone to falling asleep on duty.
A laptop and a company smartphone are common perks for a lot of organisations around the world.
It allows employees to maintain contact and productivity wherever they are. Which is especially useful if a dependent is unwell or they need to be away from the office for a few days due to a business trip.
Most of the time this is fine. They are an authorised member of the team who knows how to handle that technology responsibly and appropriately in order to safeguard the network. And protect the brand.
However, 55% of employees admit to allowing friends and family access to their company devices for personal use.
This may seem perfectly harmless but don’t forget – that device is a gateway to your organisation’s IT infrastructure. It can access company records, some of which may be sensitive or even classified in nature.
Documents could include bank details or other business critical information that could – in the wrong hands – wreak havoc.
Those aren’t the only risks. Considering how susceptible the average user is to phishing scams and the like, there is every chance they could unwittingly open a malicious attachment. Or download malware.
The best-case scenario is you notice and it’s only your device that is affected. Worst-case you take your device to work, connect it to the network and kill everything.
As malicious software is designed to work very quickly it really doesn’t take long to bring an organisation to its knees.
Ransomware can not only stop a company from operating but can cost the business a fortune whether it’s paying the ransom or rebuilding their entire IT infrastructure. Neither option is terribly appealing.
Although it may seem extreme or heavy handed for organisations to limit who can and cannot use their technology, the current environment makes it essential.
Cyber-attacks are on the rise and businesses big and small are scrambling to protect themselves.
By limiting the number of people who can access that technology to employees only then they are closing off potential weaknesses in their defences.
Whether human errors account for a quarter, or half or all cyber-attacks the result is the same. Moreover, attacks are on the rise, so either way, more and more businesses are going to be hurt by poor internal process and practices.
This only changes with attitude, budget and rapid implementation. Otherwise entirely avoidable breaches will continue to get worse and continue to cost the global economy billions.
KDC Resource are experts in technical and engineering recruitment, with a dedicated team in the Cyber Security space. If you’re looking for your next role, register your CV here.
Alternatively, if you are looking for top cyber talent, then get in touch and we’ll arrange a time to discuss your requirements.