Human Error: The Overlooked IT Security Threat
Human error is involved in as many as 27 percent of security incidents involving data leaks. How do you protect yourself from such threats? We have gathered five pieces of advice.
To err is human, as the saying goes. This also applies, to a large extent, to IT security. In this instance, human error is a frequent culprit when a company is affected by data security breaches.
Ponemon’s 2018 Cost of Data Breach Study states malicious or criminal activity as the main reasons in 48 percent of cases of data leaks, while in 25 percent of the cases, data breaches are due to system failure. Finally, as many as 27 percent of data leaks are due to human error.
This should be a concern to most organizations. Especially considering the fact that the number of data breaches – according to 4IQ’s 2019 Identity Breach Report– rose by 424 percent from 2017 to 2018.
Human error has wide repercussions under the GDPR
Human error covers several actions – e.g., bad password habits, clicking on phishing links or sending information to the wrong recipient. These are all widespread problems, and they all constitute risks that pose a challenge to any organization’s data security.
A parameter that has only become increasingly more important since the EU Data Protection Regulation came into force in May 2018, lacking data storage security may now even result in substantial fines.
As an organization, you can take the right technical measures and implement and streamline the right processes, but you rarely get very far if the employees are not involved and do not understand how their actions collectively contribute to the organization’s GDPR compliance.
Even when outsiders attack an organization, their success is most often due to the fact that they can exploit internal structures and weaknesses that should have been addressed previously.
5 tips to prevent human error
This is why it is crucial to take measures with respect to human error. Errors are going to happen, and when they do, it is simply better to be prepared. However, what is the most important step you can take to safeguard your organization? We have gathered five pieces of advice.
Train your staff
Many errors are avoidable – with the proper training. Make sure that the organization’s employees are aware of any security threats. Threats are constantly evolving, so make sure to keep the organization updated accordingly. Don’t forget to teach the staff about applicable laws and regulations that are relevant to data security and workflows. GDPR is a really good example of this.
Create a security-centric culture
Make sure to communicate any security policies throughout the organization so that the employees are aware of their existence and applicability (and of what may happen in case of non-compliance). A good security culture is created by establishing proper habits and workflows among employees – and not least by promoting a working environment that tolerates errors. In this way, you can, to a much greater extent, trust that the employees will report any errors, so that they can be rectified immediately.
Implement access control
Good security begins with solid access control. If employees have copies of each other’s rights, or if many simply have access to too much data, there is great room for improvement. It is a really good idea to implement an access policy based on a need-to-have access principle. This means that only those employees who explicitly need access to sensitive information, are granted such access. This kind of access control often makes the difference between a solid security level and a data leak.
Be aware of internal threats
Most security breaches are committed by criminals and hackers. No doubt about it. However, this does not mean that your organization can afford to underestimate threats posed by insiders. This may include malicious employees who exploit their position, e.g., with a view to scamming the company, but, to a large extent, the threat may also be posed by employees who make mistakes unknowingly and are not aware of the security policies in place. This is precisely why access control and policy awareness are so crucial.
Grant as few privileges as possible
This is closely tied to advice number 3: Keep track of those with privileged access. Once hackers have gained a foothold in a system, their first goal will often be to gain privileged rights at a level equivalent to the system administrator. Therefore, it is a good idea to limit the number of users who have privileged rights in the systems. In addition to making life more difficult for potential hackers, it will also be significantly easier to get an overview of who in the organization has access to what.
The above measures create a good foundation for protecting the organization from human error. Do you need further assistance? Then, you might want to consider implementing an identity and access management solution.