For years, “human error” has consistently been identified as a major contributing factor to cybersecurity breaches. Even recently, this report revealed that 43% of C-Suite leaders who reported a data breach cited human error as the second major cause. Another report also found that the average cost of human errors in cybersecurity breaches was $3.33 million.
Human error in cybersecurity breaches is an age-old problem, so all organizations must remain vigilant and educate their employees to mitigate these errors.
What are the most common human errors in cybersecurity breaches? What is their impact, and how can organizations minimize them?
4 Critical Human Errors in Cybersecurity Breaches
#1. Email Misdelivery
Embarrassment aside, misdirected emails may lead to data losses and/or thefts. If this data belongs to customers, the organization has to inform them about the breach, which may lead to a loss of trust, damage the relationship, and even sever a contract.
Companies that fall under the ambit of GDPR and other privacy laws are also required to report data breaches to the regulators, which may lead to hefty fines, legal repercussions, or other punitive actions.
#2. Poor Password Hygiene
In many organizations, passwords are the first line of cybersecurity defence. But often, they’re also the biggest weakness. In fact, 61% of breaches are due to stolen or compromised user credentials.
Here’s why passwords are among the most common human errors in cybersecurity breaches:
A majority of users use common passwords like 123456 or password
45% reuse their main email account password on other services
Many retain the same passwords for an extended period of time
Some write down passwords or share them with colleagues
Due to these kinds of mistakes, bad actors can easily get their hands on passwords to break into the victim’s system and even the enterprise network. Moreover, stolen passwords often end up on the Dark Web, with their cost depending on the user and their access level.
#3. Inadequate/Incomplete/Delayed Patching
Cybercriminals exploit software vulnerabilities to gain access to enterprise networks, systems and data. When such exploits are discovered, the software developers (or vendors) fix the vulnerability and send out the patch to all users. A patch must be applied immediately to prevent breaches. Often, there’s a delay, which gives cybercriminals the time to compromise systems and steal data.
The Equifax attack in 2017 is a famous example of such an error. The company failed to patch a software security vulnerability – that they knew about – for months. This error allowed hackers to obtain the personal information of 140+ million Americans and 8,000 Canadians. Another issue: they ran automatic scans that failed to identify the vulnerable systems. If they had run a manual, thorough and proactive penetration test instead, they might have found – and fixed – the issue much earlier.
#4. Poor Access Control
Inadequate access control is another major human error in cybersecurity breaches since it allows bad actors to take control of enterprise networks. Cyber attacks are now virtually inevitable, so security teams must focus on both error prevention and mitigation. This is where access control plays a key role, particularly if employed using the “least privileged principle” (LPP).
With LPP, users have only the bare minimum access required to perform their function. Granting users more access than they need expands the threat attack surface. LPP prevents this and minimizes the chances of a breach.
Best Practices to Minimize Human Errors (and Cybersecurity Breaches)
All people are human, and all people make mistakes. Therefore it’s impossible to eliminate human errors in cybersecurity breaches completely. However, organizations can minimize them by:
Implement a Zero Trust approach to cybersecurity
Treat trust as a vulnerability
Implement software-defined perimeters and secure web gateways
Verify every login
Monitor every activity
Train employees about cybersecurity
Implement two-factor authorization and biometric security to strengthen password-based security
Use encrypted password managers to create and safely store strong passwords
Deploy machine-intelligent security solutions to alert users of potential threats automatically
Conduct regular application security testing to find and address security gaps in software
Create a security-focused culture where security is taken into consideration with every action, workflow and process
Prevailing “wisdom” dictates that humans are the “weakest link” in cybersecurity. However, instead of holding and perpetuating this negative mindset, organizations will be better served by focusing on preventing human errors in cybersecurity breaches. There are three key aspects to this: understand why human errors happen, reduce opportunities for such errors, and educate users on the impact of their mistakes. We hope you found this article useful to address these aspects.
For more interesting insights, explore the other cybersecurity articles on the Packetlabs blog.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications