Employees occasionally make mistakes without realizing how dangerous they can be to the organization’s cybersecurity. Human mistakes were the cause of 21% of data breaches in 2018, according to the 2019 Verizon Data Breach Investigations Report.
Employees’ cybersecurity errors can impede company operations or even affect the bottom line. Therefore, it’s better for executives to prevent employees from making cybersecurity mistakes than to remediate their consequences. In this article, we show the latest statistics on employee mistakes and their impact on corporate security, list the top four mistakes employees make, and offer the most reliable practices to prevent them.
How dangerous are human errors for your cybersecurity?
Despite all the modern security solutions and corporate policies, employees still make mistakes that may lead to data breaches:
- Sending valuable data to incorrect recipients via email
- Accidentally emailing documents with sensitive data
- Publishing confidential data on public websites by mistake
- Misconfiguring assets to allow for unwanted access
Sure, the cost of a data breach caused by human error or system failure usually is significantly lower than the cost of a breach caused by a hacker or a malicious insider. However, you shouldn’t underestimate the consequences of employee negligence. The 2019 Cost of a Data Breach Report by the Ponemon Institute, based on interviews with companies who experienced a data breach between July 2018 and April 2019, found that the average cost of inadvertent breaches from human error is $3.5 million.
According to the Ponemon study, negligence of employees or contractors is the root cause for 24% of data breaches. Mostly, these human errors are made by so-called inadvertent insiders who may be compromised by phishing attacks or have their devices infected, lost, or stolen. The average cost of human error in cybersecurity is $133 per record. And it takes organizations about 242 days to identify and resolve an issue related to such inadvertent actions.
Now, let’s highlight four major employee security mistakes.
1. Using weak passwords
A password management policy is a must for every organization. Whether or not a company uses additional security measures such as two-factor authentication to enhance access to sensitive data, it has to establish clear rules about using strong passwords and define procedures for properly handling, storing, and sharing passwords.
Choosing weak passwords can allow hackers to easily access accounts by guessing or using brute-force attacks:
- Default credentials can be cracked by a brute-force attack or may already be known to an attacker.
- Passwords containing personal or corporate data can be guessed after exploring employees’ social network accounts.
- Simple sequences like “sp987654” and passwords like “0okm9ijn” are based on patterns that can be seen just by looking down at your keyboard.
Also, employees often store passwords unreliably by:
- Keeping passwords open — Storing credentials in plain text or Google Sheets
- Publicly displaying passwords — Writing them down on sticky notes and leaving these notes on the desk
- Not encrypting passwords — Using unsafe password managers that use weak or no encryption
Last but not least, incorrect handling of passwords can also cause issues:
- Insecurely sharing passwords — Using unencrypted messengers to send credentials to colleagues
- Incorrectly managing passwords across platforms — Using the same password for multiple accounts or varying only a single character in credentials for different accounts
- Using passwords that don’t expire — Not changing passwords once in a while
Ensuring a reliable password policy seems a simple thing to do. However, even large enterprises can make mistakes.
In 2018, Veeam, a backup and data recovery company, detected an exposed database with more than 200 gigabytes of customer records including names, email addresses, and some IP addresses. This database didn’t have a password and could be accessed by anyone who knew where to look.
2. Carelessly handling sensitive data
When employees work with a massive amount of data every day, they’re likely to make mistakes leading to data leaks. Major reasons for this are negligence, tiredness, lack of knowledge about cybersecurity threats, and not understanding the value of the data.
The most common and dangerous mistakes employees make when handling data are:
- Accidentally deleting essential files with sensitive data or security information
- Purposefully removing files without understanding their importance
- Sending emails with sensitive data to the wrong recipients
- Accidently making changes in documents due to carelessness
- Sharing sensitive data with colleagues using unsecured messengers
- Using unsecured email attachments when sending sensitive data
- Not backing up critical data
These threats are extremely common for cyber security in hotels. But even government and military services aren’t immune to human errors involved in information security. In 2018, the U.S. Marine Corps Forces Reserve exposed personal data of thousands of marines, sailors, and civilians by sending an unencrypted email with an attachment containing personal confidential information to the wrong email list.
3. Using outdated or unauthorized software
Outdated software is a hacker’s best friend, as it has known vulnerabilities and can easily be exploited.
Unfortunately, employees often help cybercriminals to compromise sensitive data by:
- Ignoring software updates. This can lead to significant data breaches, such as the WannaCry ransomware outbreak that mostly affected machines running older versions of Microsoft Windows and the security breach that exploited unpatched software on a system acquired by Marriott.
- Disabling security features. Sometimes employees put the business’s cybersecurity at risk to simplify their work or use work devices for personal needs. For example, they might pause antivirus or browser security features to watch or download files from suspicious websites.
- Downloading unauthorized software. Shadow IT risks are dangerous to the cybersecurity of any organization. Software that isn’t approved by the security department can be malicious by itself, compromising your business data immediately. Another scenario is when the software contains no viruses but has vulnerabilities known to malicious actors.
Common excuses for negligence among employees are:
- Too much work. Employees claim to be too concentrated on the current task, leading them to constantly put off software updates.
- The wrong timing. Update pop-ups often appear at inconvenient moments, which leads employees to form a habit of ignoring them.
- No time to learn. Employees may be reluctant to spend time exploring the features of new licensed software, instead opting to use outdated software they already know.
- No time for updates. Employees are often unwilling to wait for updates to be finished.
- Force of habit. Employees continue working with outdated or unauthorized software because they’re used to it.
- Lack of cybersecurity knowledge. Users often don’t understand the risks of disabling security features and using unauthorized or outdated software.
It’s noteworthy that when your employees lack overall cybersecurity knowledge, it poses a serious threat to the safety of your critical data and systems. That’s why we chose cybersecurity ignorance as the final, fourth mistake your employees are prone to make.
4. Lacking knowledge of cybersecurity
Most employees are fully concentrated on their work and don’t show too much care about security procedures. But employees that aren’t educated about major internet security rules can cause a real cybersecurity crisis in your organization.
Employing the help of an insider is the easiest way for attackers to steal credentials, get access to critical data, and introduce malware to a system. Even now, employees can be victims of phishing attacks or malicious applications that hackers use to get access to company data.
Let’s take a look at several mistakes employees make due to lack of cybersecurity knowledge:
- Following suspicious email links and attachments. Cybercriminals become more and more creative when sending malicious emails. These emails often aren’t filtered as spam and can pose a threat to your cybersecurity, while links can lead to the fake websites and attachments can contain malicious scripts.
- Using personal devices for work purposes. Sometimes, employees leave their smartphones and laptops in public areas. Once stolen in an airport, for example, a device is vulnerable to data compromise.
- Using public Wi-Fi without a VPN. Most people don’t understand that public Wi-Fi in hotels, restaurants, and other public places can be used by hackers to start man-in-the-middle attacks, install malware, or conduct other malicious activities. Not using a VPN to encrypt your connections is a huge mistake.
- Plugging in insecure devices. Even known USB storage sticks (not to mention new unchecked devices) can contain malicious code that has appeared after interacting with an outside network.
- Performing unauthorized system changes. Employees often perform unauthorized modifications to the system in order to make their work more convenient or to speed up processes. These changes can disturb regular business procedures and even bring the system down.
The number of phishing attacks detected by Kaspersky globally hit 129,933,555 attempts during just the second quarter of 2019. Cybercriminals and blackmailers pretend to be email services and tax refund services to gain access to users’ email accounts. Also, they used Google cloud-based data storage services to hide their illegal content, while links from such legitimate domains are seen as trustworthy by both users and spam filters.
Best practices for preventing human mistakes
Employee error avoidance is the best strategy for those who want to keep their critical data secure. The absence of immediate damage to your organization isn’t a reason to leave your cybersecurity policy as is.
The only way to mitigate human mistakes in cybersecurity is to use a complex holistic strategy for preventing insider threats and enhancing your cybersecurity.
By employing the following practices and solutions, you can effectively protect your company from employee security mistakes:
Update your corporate security policy. Your security policy should clearly outline how to handle critical data and passwords, who can access them, which security and monitoring software to use, etc. Revise your security rules and check whether all current best practices are reflected in the document.
Educate your employees. Make your employees aware of potential threats and explain how dangerous and expensive the consequences of their mistakes can be. You should educate your employees about risks such errors pose to the organization’s security. Make sure everyone is familiar with the corporate security policy and is motivated to follow the rules.
Use the principle of least privilege. The easiest and most reliable way to secure data access is to deny all access by default. Allow privileged access only when needed on a case-by-case basis. If users can only access data required for their work, you can prevent accidental data leaks and data deletion caused by employees who aren’t supposed to work with certain sensitive data in the first place.
Monitor your employees. User activity monitoring tools are needed to detect malicious activity and secure your system from data leaks and malicious attacks. The most reliable way to ensure accurate detection and prevention of security mistakes is by using employee system monitoring software such as Ekran System.
Making human errors visible with Ekran System
Ekran System is an insider threat protection solution that ensures user activity monitoring, identity management, and privileged access management. Packed with lots of useful features, Ekran System gives businesses of various sizes and in various industries insights into what actions were performed by the user, what software was used, what data and websites were accessed, etc.
This approach makes any mistakes immediately visible, allowing you to react to them and prevent damage. By implementing Ekran System into your cybersecurity strategy, you can:
- Choose the license that fits you best by picking the features that meet your specific needs
- Detect both malicious attacks and unintentional insider threats using built-in customizable alerts
- Tune in to live video streams of current sessions to immediately see what’s happening
- Block users if needed
- Block USB devices upon connection to prevent users from accidentally infecting your system with malware
Cybersecurity issues caused by human mistakes are usually less costly than data beaches due to malware. However, they still pose a serious threat to the security and availability of your sensitive data and business-critical resources.
Knowing the four cybersecurity mistakes most often made by employees, you now know what to expect and how to avoid data loss and data compromise.
By using Ekran System, educating your employees, and efficiently enforcing a well-thought-out security policy, you can reliably prevent human errors. Request a free demo or 30-day trial to see how Ekran System can enhance your business’s cybersecurity.