According to an extensive cybersecurity report published by Verizon in 2021, “85% of data breaches are caused by human errors.” In cybersecurity and data protection, human error is defined as the unintentional actions of employees that can cause security breaches that most often lead to data leaks.
A single error can be fatal for companies and cost millions of dollars. For example, Target had a huge data breach in 2013 that caused the company $90 million. After the incident, the company’s reputation was damaged, and it took a long time to win the trust of customers back.
Could the company foresee that a security breach could happen and prevent it? Let’s discuss the most common human errors and how to prevent them.
The unintentional nature of human errors doesn’t mean they are unavoidable. However, companies can identify the vulnerabilities in their security policies and take measures to mitigate the risks. Here are the seven most common human errors that can cause security breaches.
Recommended for you: 17 Best Cybersecurity Tips to Stay Protected Online in 2022.
A 2021 research conducted by NordPass in 50 countries reveals that the “123456” combination is used for login purposes by 130 million people. The second and third most frequently used passwords are “123456789” and “qwerty” used by 46 million and 22.3 million people, respectively. A skilled hacker could crack such weak passwords in less than a second.
Besides setting poor passwords, most people use the same combination for their personal and corporate emails, social media accounts, and other services. Some people don’t change their passwords for years and even share them with colleagues or write down on sticky notes and paste them onto their monitors. Such a careless attitude towards passwords causes 61% of security breaches, Verizon says.
Assigning someone inadequate access rights is another human error that can cause security breaches. In some organizations, incompetent people have permission to access sensitive data. However, in most cases, such wide access rights are granted to employees by default unless there is a specific request to restrict them.
Here are the most common errors caused by inadequate access control:
- Deleting sensitive data accidentally or intentionally.
- Making system configurations that can cause data breaches and data leaks.
- Performing unauthorized changes in the system.
- Sending emails with valuable data to the wrong recipients.
While employees are online looking for information for doing the task at hand, they may download files from unauthorized sources, click unknown links, or hit “yes” on random pop-ups. Such action can get spyware on your device without your knowledge. You won’t even suspect that while you’re doing your daily work, it records your online activities and obtains your login credentials and personal information. Then, this malicious malware transfers the collected info to the third party that uses it without your consent.
The worst part is that the spyware can spread from one computer and infect the entire network of a company. If not detected on time, it causes multi-million-dollar damages to the business.
In most cases, human errors that cause security breaches are made accidentally or due to a lack of knowledge. Unfortunately, some organizations are so concentrated on getting results that they ignore the need to educate their employees about cybersecurity. Here are the several common mistakes people can make due to a lack of knowledge:
- Downloading software from suspicious and authorized sources.
- Connecting to public Wi-Fi at restaurants or hotels without VPN encryption.
- Plugging devices such as a USD storage of unknown origin.
According to an investigation conducted by Verizon in 2020, 20% of cybersecurity breaches happen because of phishing emails. Clicking on the malicious links inside such emails is one of the most costly human errors. Reportedly, the average cost of a single stolen record is $133. Imagine how much damage it can cause to an organization if the entire network gets infected besides the end-users computer!
When employees perform repetitive daily tasks, they become careless and ignore security procedures over time. They think if their work was seamless yesterday, nothing could threaten them today. This careless attitude to security procedures can sometimes compromise the security system of entire companies. Here are the security procedures employees ignore:
- Software updates: Most employees skip software updates because they take too long or appear at the most inconvenient times.
- Sometimes employees can turn off antiviruses or security features because they interfere with their work. It’s dangerous to leave the computer without protection for even a single minute while actively using the Internet.
Delayed patching is closely connected to the previous point but focuses more on software updates. Cybercriminals are constantly looking for vulnerabilities in software security, but software developers also do so. Once they have discovered such a vulnerability, they immediately fix it and send out patches well known as software updates. Those that install the updates on time protect their devices from security breaches, while every minute of delay increases the risk of getting compromised.
The case of Equifax credit reporting agency is an excellent example of why software updates shouldn’t be ignored. In 2017 their software had a security vulnerability. The company knew about it but delayed the patching process. As a result, their system got hacked, and the personal information of over 140 million American customers and 8,000 Canadian customers was compromised.
Once companies have identified the gaps in their security policies, they can take preventive measures. Making mistakes is human; that’s why it’s impossible to entirely eliminate the risks but it’s possible to minimize them. Check out the following seven measures.
Since the biggest part of cybersecurity breaches are caused by poor password hygiene, companies should pay particular attention to password management. The organizations should set a clear policy against using simple passwords or setting one combination for all their accounts. Password generation tools can help create strong and reliable passwords consisting of letters, numbers, and symbols.
Moreover, it should also be a mandatory part of the policy to activate the two-factor authentication across all corporate accounts. It will increase the protection of your accounts and make them uncrackable by hackers.
Granted unlimited access to sensitive data to all employees is a huge mistake by companies. By default, the access should be denied to all employees. Then, the managers should assign permissions on the go whenever the employees require access to the data for performing their work. Most systems even have different user permission levels depending on their roles. For example, junior specialists can only view documents while the managers have the right to edit or delete them. Such division of user rights protects sensitive data from being modified or accidentally deleted.
Viruses and spyware can cause destructive damage to your devices and the network. Hence, it’s wiser to be protected than fight against its devastating consequences. The best protection against viruses and spyware is antivirus and anti-spyware software. McAfee Total Protection, Norton 360, and Bitdefender Total Security are the three top anti-spyware solutions worth using. This software provides VPN for encrypted Internet usage and a Firewall to protect the device from external threats.
Most human errors are made because of a lack of knowledge about cyber security. And the best way to mitigate the risks of such errors is by educating and increasing your employees’ awareness about information security. Companies should hold frequent training and teach their employees about cyberattacks, their types, and protection procedures. They should know how to differentiate phishing emails from authentic ones, how to report them, and what to do in case of detecting security breaches. If your company has a specific security policy, make sure your employees know about it.
One way to protect yourself from phishing emails is by flagging messages received from outside your company. But it isn’t a 100% solution since some spam emails can imitate your company’s email domain. So, using security software that detects suspicious emails is another option.
No matter how you decide to struggle against phishing, make a rule of thumb never to download a file or click on a link inside suspicious emails.
Your company shouldn’t rely on the conscientious attitude of employees towards following cybersecurity procedures. You should have a clearly explained corporate security policy that describes how to handle sensitive data, how and when to update passwords and other security rules. However, this guide shouldn’t be outdated. Ensure to update it regularly and notify your employees to get familiar with the new security procedures.
You may also like: How is Machine Learning Used in Cybersecurity?
Software developers release patches because they have discovered vulnerabilities and want to help you be protected against them. So, ignoring and skipping software updates increases your device’s risk of getting compromised. Hence, it’s recommended to install the patches immediately after they become available.