It's Official, Employees Are The Biggest Security Risk

Verizon’s 2015 Data Breach Investigations Report has found that over 90% of attack patterns involve a single, common denominator: people. Human error is a primary challenge to the infosecurity industry and players at every level need to take a fresh look at how to manage it.

A litany of errors

In the classification of security incidents, the top attack pattern was ‘miscellaneous errors’ at 29%, followed by crimeware (excluding espionage and point-of-sale intrusions) at 25%, insider misuse (21%) and physical theft/loss (15%).

In other words, 90% peopleware.

 Under miscellaneous errors, those made by internal staff top the bill: sensitive information reaching incorrect recipients (30% of incidents); publishing nonpublic data to public web servers (17%); and insecure disposal of personal and medical data (12%).

Amusingly labelled in the report as D’oh!, My Bad! and Oops!, they are distinctly unfunny errors. Especially when you know that – incredibly - system administrators were responsible for over 60% of them. (Or should that be badministrators? Ouch!)

 Phishing emails remain a major cause of data breaches but they have evolved from simple account-takeover to malware installation; in effect, the hacker’s MO has moved from wallet theft to quietly moving into the basement while they act out a long term plan at their leisure.

In a sanctioned phishing test, the median time-to-click was only 82 seconds, 23% of recipients opened the message, and 11% clicked on attachments. Some departments (Communications, Legal and Customer Services) were far more likely to become phishing victims – easier targets, perhaps, because of the high volume of emails they receive.

Quick win security measures

Some basic security controls on the IT front offer quick wins: patching web services, locking out users after multiple failed attempts, mail attachment filtering, restricting the ability to download software, and use of AV software and hardware.

On the end-user front, whatever the precise dynamics of attack are, hackers want to get a foothold into your network, so protecting user credentials is critical: passwords should be strong (15+ characters with complexity added) and unique to each account.

Users shouldn’t use autocomplete in emails (to avoid them being sent to unintended recipients), or the regular Trash folder for documents containing sensitive information, and they shouldn’t click on links in emails. In the case of physical theft/loss, one obvious security rule writes itself when you know that 55% of incidents occur in the victim’s work area.

It’s also vital to develop an engaging training and awareness programme. To make it more effective, you should structure it around known facts about human error…

User training: tap into the science of human error

Clever chaps with PhDs have done lots of hard work analysing and classifying types of human error. Far from being purely academic, their typology can be applied directly to the task of cybersecurity training.

Human errors fall into two types: ‘skill-based errors’ and ‘mistakes’. Skill-based errors (slips of action and lapses of memory) can’t be changed by training, but they can be minimised by workplace design, reduced distractions, and use of checklists.

‘Mistakes’ can be either rule-based or knowledge-based. The latter can be minimised by good-quality training, and rigorous competency checks.

Rule-based mistakes include those where someone has failed to apply a good rule. An example of such a ‘violation error’ might be the leaving of passwords in plain view, or clicking on links in emails. They can be minimised by educating employees about risks and consequences, as well as involving them in the development of the rules and procedures that affect them. Violations can also be made the subject of disciplinary action.

One small step

In the absence of perfect technology, and until there’s a sufficient evolutionary advance in human DNA that will allow Homo cybersapiens to look back in 100,000 years and laugh at the condition called ‘human error’, we must devise a workaround. 

With 90% of security incidents falling under ‘peopleware’, understanding how to manage man’s capacity for error may be one small step for InfoSec man, but one giant leap towards effective cybersecurity.

If you are worried about your organization being the victim of a hacking incident, check out our free guide on How to Protect Your Company from being Hacked.