Last year, Verizon's data breaches report showed that “human error” was the only factor with year-over-year increases in reported incidents. The average cost of data breaches from human error stands at $3.33 million, according to IBM’s Cost of a Data Breach Report 2020. Even big companies and government entities have fallen victim to data breaches caused by human error.
Then COVID-19 came along and forced much of the world to work remotely, making the human error problem a greater threat now more than ever.
Some of the biggest problems with human error include negligence, lack of awareness and poor access control. To fix the human error problem, companies must focus on these details with the understanding that people can be your organization’s strongest asset in strengthening cybersecurity when equipped with the right tools and knowledge.
Negligence
According to a report, employee negligence is the biggest cybersecurity threat to U.S. companies. People make mistakes. That’s inevitable. And some of these mistakes can be very costly.
Organizations must focus on preventing such lapses and slips from taking place. That’s why cybersecurity experts are rethinking their approach to trust. Trust is good; without trust, it would be impossible to achieve meaningful collaboration. However, with cybersecurity, trust takes a new dimension.
The Zero Trust model interprets “trust” as a vulnerability. With cybersecurity, there is no invincibility. That’s why even organizations with the best cybersecurity systems must continue to watch their backs. With Zero Trust, every login is verified and every activity monitored (without prying) as cybersecurity adapts to the new dynamism of the digital workplace.
Mind you, Zero Trust is a principle (a philosophy, if you wish), and thus there are no designated Zero Trust tools, per se. Even so, certain technologies such as a software-defined perimeter and secure web gateway can help you implement Zero Trust better than others.
A secure web gateway in particular helps an organization to enforce compliance with its cybersecurity policies. It monitors network traffic for malicious activities and thus limits the tendency of any employee to negligently put company data at risk.
Lack of Awareness
Many incidents that arise from negligence occur because people don’t know better. Some human errors are decision-based, arising from “the user not having the necessary level of knowledge, not having enough information about the specific circumstance, or not even realizing that they are making a decision through their inaction.”
Training employees about cybersecurity is much more than reading out a list of do’s and don’ts. Here are some helpful tools to improve training:
- Communicate risks: Helping people to understand the full implications of their actions (and inactions) will make them more mindful of their activities on the network. For instance, knowing the risks of accessing sensitive data through public Wi-Fi will rein in the tendency of any user to engage in this practice.
- Empower employees to make the right decisions: That’s particularly the case when incidents occur. This can be as simple as making each employee know which IT or infosec team member to report an incident or a threat to. Employees should never feel helpless or confused in such situations, as that can lead to complications.
- Conduct recurrent training: Cyberattacks are dynamic. As a result, employee cybersecurity awareness training should not be a one-off event. Instead, it should be continual, aiming to update employees with the most recent developments in the cybersecurity industry including new threats and improved protection measures.
However, while training is important, you must understand that the most crucial factor to cybersecurity awareness at the workplace is the culture. As such, aim to build a culture that allows employees to intuitively think security-first.
Access Control
Poor access control opens up the company to greater risks. Fixing the human error problem is not just about prevention. As companies recognize the inevitability of cyber attacks, mitigation takes the higher consideration. And that’s where access control comes in, mainly as related to the principle of least privilege.
The principle of least privilege is perhaps the most useful model for proper access control today. It used to only be associated with the military, but it has now entered mainstream cybersecurity. The idea behind the principle is that “any user, program or process should have only the bare minimum privileges necessary to perform its function.”
Granting a user more access than they require for any legitimate activity carries the risk of expanding the potential attack/breach surface. By contrast, the principle of least privilege dictates granting access on a need-to-know basis, thereby reducing the scope of any potential attack.
Conclusion
People are a vital part of the cybersecurity of any organization. Strengthening your technical defenses alone will give you only the impression of protection without the substance. Organizations need to redefine their approach to integrating employees into their cybersecurity protocols by switching from the idea that people are weak points to the perspective that people are strong assets in the perpetual battle against cyber attackers.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.