Human error is inevitable, even in fields as thorough and technically efficient as cybersecurity. While there are mechanisms in place to prevent and detect such occurrences, on occasion, even an enterprise that is usually a well-oiled machine can fall victim to vulnerabilities that may arise due to the human factor. Fortunately, by identifying common problem areas and addressing them accordingly, organizations can keep human error to a minimum and ensure that business operates as usual.
Though the human factor is a major nontechnological stumbling block to cybersecurity, an organization’s networks and data can be secured if employees obey clear, well-defined security policies, and practice and participate in routine cybersecurity training and exercises.
According to an IBM assessment, human error is involved in 95% of information security errors.1 Information management risk managers and chief information security officers (CISOs) should consider human fallibility, laziness and fatigue when creating and implementing policies and procedures to minimize security-related human error.
Human Fallibility
In some of the most successful attacks, threat actors exploit human laziness and fallibility. One survey showed that 1 in 5 enterprises (19%) that suffered a malicious data breach was infiltrated due to stolen or compromised credentials, increasing the average total cost of a breach for these enterprises by nearly US$1 million to US$4.77 million.2 Organizations should work actively to remove the risk that comes from human laziness and fallibility, which, in turn, helps remove the threats that come with social engineering and phishing attacks. This can be aided by offering employee awareness training. Organizations should ensure that all employees are familiar with the corporate security policy and are motivated to follow the rules.
Combating Laziness and Fatigue
Laziness can be the result of a lack of information. If communication is not clear or is nonexistent, then staff do not know what the organization’s position is on security. The rules of the organization and why they exist must be clear and transparent; otherwise, it is easy for people to disregard them.
The rules of the organization and why they exist must be clear and transparent; otherwise, it is easy for people to disregard them.
It should be a part of an organization’s policy to give staff a checklist that includes all critical mandatory regular tasks and a self-enforcing metric to determine whether they have completed their tasks.
Although computers can work endlessly, humans are prone to fatigue when working longer hours, which makes them more prone to errors. Fatigue countermeasures include regulated working hours and mandatory breaks during work hours.
Lack of Strong Policies and Procedures
It is crucial to have strong policies and procedures in place on cybersecurity, data loss prevention (DLP) implementation, and IT and information systems procedures to protect the organization from various threats. As shown in figure 1, to help mitigate the risk of human error, security policies should clearly outline how to handle critical data and passwords, which security and monitoring software to be used, and who should access the software. Organizations should ensure that all the employees are familiar with the corporate security policy and are motivated to follow the rules. Organizations should allow privileged access only when needed on a case-by-case basis and monitor user activity to detect malicious activity. The lack of policies or gaps in implementation result in vulnerabilities. Periodic review of critical policies is also essential for effective implementation.
Figure 1—How to Prevent Human Errors
Source: Ekran, “How to Prevent Human Error: Top 4 Employee Cybersecurity Mistakes,” 24 September 2019, http://www.ekransystem.com/en/blog/how-prevent-human-error-top-5-employee-cyber-security-mistakes. Reprinted with permission.
Any human error in the workplace can have a cascading impact on an organization’s facilities, operations, client relationships and credibility. As a result, having robust polices and processes in place to reduce human error is critical. Users must take precautions to defend themselves and the data for which they are responsible. Organizations and employees must be vigilant and not let naivety, laziness or dissatisfaction with the work environment come to the fore.
To learn more about minimizing human error in cybersecurity, read the ISACA® Journal, vol. 5, 2021 article, “Is Cyberspace Secure From Humans?”.
Endnotes
1 IBM Global Technology Services, IBM Security Services 2014 Cyber Security Intelligence Index, USA, May 2014
2 IBM Security, Cost of a Data Breach Report 2020, USA, 2020
Gopikrishna Butaka, CISA, CDPSE, CEH
Is a manager of information systems audit at the State Bank of India (SBI), a Fortune 500 company with more than 22,000 branches worldwide. Apart from conducting various audits, which include IS audits, IT migration audits and regulatory framework implementation audits, Butaka’s work also includes preparing and editing various policies for IT, cybersecurity and framework design. Butaka also coordinates the technical price negotiation committee, IT strategy committee and audit committee board meetings and ensures their implementation. Butaka is also an author focusing primarily on technology evolution and its impact on business and has contributed to dozens of articles for SBI’s in-house magazines on technology and management issues.