Every organization is aware about the risk of a human error. Employees occasionally commit mistakes, which prompts employees to take measures for human error reduction, and precautions to prevent such errors from impeding regular company operations or affecting the bottom line. However, not all employers realize how dangerous human errors can be when it comes to cyber security and what place do they take among information security threats.
Employees can often leak data or compromise company security inadvertently.
According to 2015 Insider Threat Report, among all insider threats, 57% of security specialists are most concerned with inadvertent data breaches. Global 2015 Cost of Data Breach Study by Ponemon shows, that human error actually causes 25% of all data breaches within the US and costs roughly $198 per capita to mitigate. At the same time, IBM 2014 Cyber Security Index, a computer security report from IBM covering various security trends and topics from malware to insider threats, states that most of investigated IT security incidents have involved human error one way or another.
Typical employee cyber security mistakes are associated with poor password handling, careless handling of data, use of insecure software, and general unawareness about potential threats and best ways to prevent them.
We can distinguish five major categories, covering main employee security mistakes:
1. Weak Password Security
Passwords are the most basic security technique that can provide a very reliable protection if handled with care and do not shared with anybody. However, when passwords are not handled with proper care and procedures, they can be easily cracked, guessed or otherwise obtained by malicious perpetrators, allowing them full access to the system.
Using simple password. Typical example of human factors in security is a simple password that is easy to remember. Sometimes, employees may even use default credentials. Such passwords are easy to guess or crack by a brute-force attack.
- Sharing passwords. Sharing passwords among employees is a careless mistake that can easily give malicious insider access to the data they should not have access to. One look at the famous example of information security breach by Edward Snowden reinforces the fact that this is a bad idea for security. Another security mistake is to share the same password across different services and accounts. This means that if one of those services is compromised, all of them are also potentially compromised.
2. Careless handling of data
Employees that routinely work with large amounts of data or handle sensitive data, can sometimes leak and compromise it out of carelessness. Such carelessness may be result of a simple mistake, or it may be caused by the fact that employee do not realize the importance of said data.
Sending data via email by mistake. Most white-collar employees send a lot of emails during work. It only takes a single mistake while typing recipient address in order to send sensitive data to the wrong person.
- Accidentally deleting files. Employees may delete some files to clear space without realizing how important they were.
Read also about the data security best practices.
3. Inadequate software security
Most employees are much more concerned with doing their work fast and efficiently, than with following proper security procedures. As a result, they often put convenience ahead of the security of software they use and data they are working with. However, such approach can often compromise cyber security of the whole organization.
Neglecting updates. Employees often neglect updates because they take too long or pop up in inconvenient moments, leaving software wide open for an attack. Use of legacy software with known vulnerabilities is also a very widespread issue. Such software is often used not because it has exclusive necessary features, but rather as a force of habit.
- Intentionally disabling security features. Employees can disable security features that they deem intrusive without realizing their importance. Such actions can easily compromise security of the whole system.
4. Low security awareness
The easiest way to steal credentials and get access or to introduce malware to the system is to employ the help of an insider. Employees often have very low awareness about phishing and social engineering practices that can make them inadvertently help malicious agents get access to company data.
Clicking on malicious email links. Emails containing malicious links are very dangerous and hard to filter. With the latest resurgence of ransomware delivered via malicious email links, such emails can become a serious problem for your organization.
Using and downloading unauthorized software. Even if software is not malicious by itself, it can contain vulnerabilities that can serve as a gateway in your system for malicious actor.
- Plugging unknown or insecure devices. Perpetrator can plant devices, most often USB storage sticks, containing malicious code that will run automatically, hoping that employee will find them and plug into the system out of curiosity. Even if the origin of device is known, it can still harbor a virus, contracted from interacting with the outside network and therefore should be used with care.
5. Ineffective data access management
Controlling access to sensitive data is a basic part of any security. However, many organizations are granting all access to employees by default unless it is specifically restricted. Such approach may result in the following problems:
Having too many privileges. Employees may end up having access to data or system configurations that they should not have. Such access can result in accidental data leaks.
- Performing unauthorized system changes. Employees may perform unauthorized system changes in order to speed up their job or make it easier. However, they are most likely unaware that such changes can disturb regular business procedures and even bring down the system.
Best practices for preventing human errors and security mistakes
Some of these cyber security mistakes happen occasionally, while others, such as using weak passwords, can be more systematic. And while they may not cause any immediate damage to your organization, such security mistakes and oversights are a disaster waiting to happen. If allowed to go unmoderated, they will cause cyber security breaches and data leaks that will cause a lot of money to recover and may damage your business.
However, by using a complex holistic approach to insider threats and cyber security, you can reduce human error percentage and prevent any security mistakes. By employing the following practices and solutions, you can effectively protect your company from employee security mistakes:
Create an effective security policy. Security rules and best practices should be formalized in the form of a written security policy. This policy should clearly outline rules regulating the handling of data access and passwords, what security and monitoring software is used, etc. All employees should be made familiar with the policy and it should be effectively enforced.
Educate your employees. High level of security awareness will go a long way in preventing employee mistakes. You should make your employees aware about risks that such mistakes pose to the security of an organization. Educate them about how to best handle work in a secure manner and make sure to drive home the point of why this is important. This will make your employees much more aware about potential security risks that their actions may pose, and as a result, they will be much more careful.
Apply the principle of least privilege. When it comes to data access, it is much more secure and reliable to deny all access by default, allowing it whenever needed on a case-by-case basis. This way all your users will only have the necessary level of privilege, allowing them to only access data, required for their work. This will allow you to prevent accidental data leaks and data deletion by the employees who are not supposed to work with this data in the first place.
Monitor your employees. Security mistakes are sometimes hard to distinguish from the regular user activity. This allows them to go undetected for long periods of time, leaving your system vulnerable to data leaks and malicious attacks. The most reliable way to thoroughly detect and prevent employee security mistakes is to use employee monitoring software, such as Ekran System.
Make human errors visible with Ekran System
Ekran System is a security and monitoring solution that provides indexed searchable video recording of everything user sees on his or her screen, including mouse movements. It gives you an insight into what actions were performed by the user, what software was used, what data and websites accessed, etc. Such approach immediately makes any digital security human mistake visible, allowing you to quickly react to them and prevent any potential damage.
Ekran System has a number of tools to help detect and prevent insider attacks, both malicious and inadvertent. Built-in customizable alerts allow you to receive real-time notifications in case of potential computer security incidents. Security personnel then can tune in to the live video feed of the current session and immediately confirm what is happening. They then can remotely block the user if needed.
Ekran System can also automatically block USB devices on connection, preventing users from accidentally infecting your system with malware by plugging unidentified USB devices.
Ekran System provides a flexible licensing scheme, allowing for a cost-effective deployment of any size. By using Ekran System, educating your employees and efficiently enforcing well-though-out security policy, you can reliably control and prevent cyber security human error.