A recent paper by Osterman Research reports that less than half (42 per cent) of organisations train their employees on the General Data Protection Regulation (GDPR), even though it came into force many months ago.
It is well known that a lack of training increases the risk of human errors that can lead to data breaches. In this article, I will explain the most common errors users make and the preventive measures organisations can — and should — in order to mitigate any potential damage.
Human error #1: Falling for phishing
According to a recent report, phishing and pretexting (presenting oneself as someone else in order to obtain private information) account for 93 per cent of social-engineering related breaches, and email is the most common attack vector (96 per cent).
This mistake is more likely if a company tells its employees about cyber security policies only at the time of hire, instead of making this an ongoing priority. Steering clear of boring training classes is recommended; instead, it’s generally more effective to us short, five-minute videos that recreate real-world situations that show how social engineering attacks tend to work.
Of course, some people might still act irresponsibly when faced with an actual phishing email. According to research, 4 per cent of people always click on a suspicious attachment. Therefore, it Is advisable to run phishing simulation tests periodically to check whether the training was effective and if employees are following the best practice information and security policies. Finally, organisations should implement anti-spam and email filtering tools to mitigate the risk even further.
Human error #2: Letting unauthorised users access corporate devices
According to a recent report, 55 per cent of working adults allow friends and family members to access their employer-issued devices at home. A friend or family member might access sensitive data like the organisations’ bank accounts or customer data. What’s worse, they might download malware that could enable cyber criminals’ access to corporate data, cloud applications and storage.
Introducing a comprehensive information security plan that all employees must follow and encouraging team leaders to enforce cybersecurity discipline within their teams is vital.
Another important measure is to implement proper security controls on devices and systems, ensuring that all devices are password protected and employing two-factor authentication to all corporate devices and applications if possible, are excellent steps to take.
Human error #3: Poor user password practices
According to research, 66 per cent of respondents who do not use a password manager tool admit to reusing 60 per cent passwords across online accounts. This is a very risky practice, because once one account is compromised, an attacker has access to a wider variety of assets. Beyond password reuse, other password-related risks include using obvious passwords (e.g., 123abc, 1111), failing to update passwords regularly, storing passwords within reach of the computer or device, and sharing passwords with others. Poor passwords practices increase the risk of a breach for a company, because an attacker can more easily steal or crack passwords.
Holding training sessions dedicated solely to passwords practices is definitely worth doing. Also consider using supportive hints that are pushed to user screens when they log in — these tips can repeat key points emphasised in security training (e.g. “Never keep your password in a place that can be accessed or viewed by anyone besides yourself.”).
Human error #4: Poorly managed high privilege accounts
Accounts with high privileges, such as admin accounts, are powerful, but security controls for preventing their misuse are often inadequate. Our own recent research shows that only 38 per cent of organisations update admin passwords once a quarter; the rest do it more rarely. If IT pros fail to update and secure the passwords to privileged accounts, attackers can crack them more easily and gain access to the organisation’s network.
A necessary preventive measure is to implement the least-privilege principle to all accounts and systems wherever possible. Instead of granting administrative rights to multiple accounts, elevate privileges on an as-needed basis for specific applications and tasks, only for the short period of time when they are needed. It is necessary to establish separate administrative and employee accounts for IT personnel; admin accounts should be used only to manage specific parts of the infrastructure.
Human error #5: Mis-delivery
According to the 2018 Verizon Data Breach Report, mis-delivery is the fourth most frequent action that results in data breaches. In particular, mis-delivery accounts for around 62 per cent of human error data breaches in healthcare.
Consider requiring encryption for all emails that contain sensitive information. In addition, employ pop-up boxes that remind senders to double check the email address when they’re emailing sensitive data. Another tip is to implement a data loss prevention (DLP) solution that monitors an event that could lead to information leakage and automatically acts, for example, by preventing users from sending sensitive data outside of the corporate network.
What if an error happens anyway?
The reality is that even if a company has superior cybersecurity defences, people will inevitably still make mistakes. A sophisticated phishing attack might lead to malware being released in a corporate network, an admin might grant someone excessive permissions, or some users might have their passwords cracked due to poor password practices. In fact, our research found that 29 per cent of organisations had experienced human errors that resulted in data breaches over the last year.
Therefore, every organisation should improve its detection capabilities so it can respond promptly to suspicious or improper events. To be able to proactively detect and respond to such suspicious activity, businesses should employ user behaviour monitoring methods that enable them to track the activity of all users, including privileged ones.
It is abundantly clear that poor cybersecurity awareness of employees has a negative impact on businesses. By taking cybersecurity seriously, organisations can minimise the risk of data breaches and the resulting damage. To achieve this goal, it is important to establish effective training programmes for employees and implement technologies that secure the most sensitive data, no matter where it resides.
Matt Middleton-Leal, General Manager EMEA and APAC, Netwrix
Image Credit: Wright Studio / Shutterstock