As the number of cyberattacks and data breaches continues to rise, the importance of cultivating a good cybersecurity posture has become more critical than ever. However, while many organizations invest in hardware and software solutions, too many continue to overlook one of their biggest security weaknesses: their own employees.
Whether it’s clicking on a suspicious link, visiting a spoofed website, or simply choosing a password that’s easy to remember (rather than actually secure), human error can leave companies vulnerable to cyberattacks, and undermine or compromise existing security protocols.
In this article, we will discuss how employees are putting their companies at risk, and how poorly thought-out company policies can inadvertently undermine an organization’s cybersecurity posture, as well as common threats that organizations need to be aware of. We will also explore strategies for mitigating risks, and provide concrete advice that you can act upon to improve your cybersecurity posture.
How Employees Can Inadvertently Increase Your Security Risk
Human error remains a serious concern when it comes to cybersecurity, and for good reason. A recent study conducted by Stanford University Professor Jeff Hancock, in partnership with security firm Tessian, found that approximately 85% of all data breaches are caused, at least in part, by employee mistakes.
Even the most cybersecurity-conscious and diligent employee will likely make a mistake at some point, but that doesn’t mean organizations shouldn’t be taking steps to minimize those risks and organize their digital systems and workflows to make mistakes less likely to occur.
Human errors fall into two general categories: Skill-based errors and decision-based errors.
- Skill-based errors refer to small mistakes that occur while workers are performing familiar tasks and activities. In these cases, the end user knows what the correct course of action is, but because of a temporary lapse, a mistake, or negligence, fails to follow the correct procedure. These types of errors are more likely to occur when a worker is tired, distracted, rushed, or otherwise experiences a brief lapse in memory.
- Decision-based errors occur when an end user makes a faulty decision. Factors that play a role often include:
- The user doesn’t have the necessary level of knowledge to complete the task correctly.
- The user doesn’t have enough information about the specific task or circumstance.
- The user doesn’t realize that, through their inaction, they are, in fact, making a decision.
Common examples of human error include things like:
Misdelivery
Misdelivery refers to sending something to the wrong recipient. According to Verizon’s 2018 breach report, misdelivery is the fifth-most common cause of all cybersecurity breaches. One example of a serious breach caused by misdelivery occurred in 2016 when an NHS practice in Britain inadvertently revealed the email addresses (and names) of over 800 HIV clinic patients. This occurred when an employee sent out an email notification to the patients, and accidentally entered their email addresses into the ‘to’ field instead of the ‘bcc’ field, allowing each patient to view private details about the email’s other recipients.
Physical Security Errors
While most cybersecurity policies focus on the digital realm, physical security plays a critical role. Physical security errors refer to errors that allow unauthorized persons to view or steal confidential information or credentials by gaining access to secure premises. Physical security comes in a wide variety of forms, but one of the most common forms involves leaving confidential documents unsecured and unattended in places such as on an employee’s vacant desk, in meeting rooms, or in the printer output tray. Under these circumstances, anyone who has access to (or can gain access to) these areas can view or remove confidential or private documents.
Another common physical security error is tailgating, which occurs when an unauthorized person is able to follow an authorized person through a secure door or another barrier, often by simply walking closely behind them. Holding the door for the person behind you is considered polite, so to avoid being perceived as rude, workers are likely to hold the door for the person behind them rather than close the door and make the next person open it.
Failing to Install Security Patches
Exploiting security gaps in software remains a popular tactic among cybercriminals. Whenever software companies discover a security vulnerability in their code, they work to quickly address the issue and send out a patch to all users, ideally before cybercriminals can exploit the vulnerability. However, not all organizations enforce prompt patch installation, and busy or overworked users may be more inclined to “get to it later” rather than spend the time now and delay other important tasks.
To highlight how vital it is to install patches as soon as possible, we only need to look at the 2017 WannaCry ransomware attack. This attack impacted hundreds of thousands of computers around the world and cost organizations millions of dollars in damages. However, the exploit used by the attackers, called “EternalBlue”, had actually been patched by Microsoft months before the attack. Impacted computers were only left vulnerable because users had failed to download and install the appropriate patch, leaving their organizations vulnerable.
Human Errors Don’t Occur in a Vacuum
A number of factors, such as opportunity, environment, and a lack of awareness, all work in tandem with human error and play a critical role in making vulnerabilities easier to exploit.
Opportunity
Just like a seed needs soil to take root, human error can only occur when an opportunity presents itself. The more opportunities there are for an error to occur, the more likely it is to occur.
Environment
In this case, environment refers to both the physical environment of the workplace and the workplace culture. Workers are more likely to make mistakes when they are physically uncomfortable (such as when the workplace is too hot or too cold) or when their work environment is too noisy to effectively concentrate (a serious concern in the era of open-plan offices). Open-plan offices also leave little room for privacy, which means if an employee has sensitive information open on their computer screen that anyone can read over their shoulder, or has to discuss sensitive matters with a colleague, that information is more likely to be inadvertently shared with unauthorized users.
Company culture also plays a significant role. Often, end-users are aware of the correct course of action or an important security rule, but either fail to follow the correct procedure or cut corners because the reality of the situation makes doing things correctly burdensome, or they simply don’t have enough time in their days to follow all procedures correctly while still completing all assigned work in a timely fashion.
Company cultures that don’t put security first, or fail to account for how necessary security procedures negatively impact other aspects of an employee’s task list, inadvertently cultivate an environment where security is a burden or a nuisance rather than a necessity.
Lack of Awareness
In too many cases, errors occur simply because end-users don’t know what the correct course of action is. For example, though most employees know that phishing emails are a serious concern, they may not know how to accurately identify them or know to whom they should report suspicious messages.
Another common example is unsecured Wi-Fi networks and home networks. With more employees working from home or opting for hybrid work, more sensitive information is being accessed outside the office. Most workers are confident that the work network is secure, but may not know what steps they should be taking to ensure their home network is equally secure. Or they may not understand the dangers of using publicly accessible Wi-Fi networks such as those found in coffee shops and other public places.
Poorly-Crafted or Inadequate Company Policies Can Undermine Your Security Posture
Human error is not just limited to individual people. Company rules and policies may play a role as well, either codifying and amplifying insecure practices, or undermining your organization’s security posture in other ways.
Inadequate Security Training
Workers that don’t receive adequate security training may not understand why their behaviors are harmful. Employees that understand why security is important and how their actions can either strengthen or undermine your organization’s security posture are more likely to follow security protocols than employees who see those protocols as unnecessary burdens or inconveniences rather than critical and necessary steps.
Weak Password Guidelines
Memorizing long and complicated passwords is difficult, which is why too many employees opt for passwords that are easy to remember, such as their spouse’s name, child’s name, or pet’s name. A 2019 report by the National Centre for Cyber Security in the UK found that 123456 remains the most popular password worldwide, and that 45% of people polled reused the password from their main email account to secure their accounts on other platforms.
Lax or Nonexistent Security Protocols
Smaller organizations, in particular, are less likely to have security experts on staff and may feel that the time needed to develop security protocols and procedures is better spent elsewhere. To counteract this issue, many small and medium-sized organizations are opting to partner with trusted security experts like Infracore. These partnerships allow smaller organizations to access the security information and skilled advice they need to keep their organization secure without having to divert scarce resources to supporting an expensive in-house expert.
Common Cybersecurity Threats (And How to Mitigate and Avoid Them)
Knowledge is power, and that adage is particularly true when it comes to cybersecurity. With the majority of cybersecurity incidents resulting, at least in part, from human error, it’s critical for all workers to have a general understanding of common cybersecurity threats and know what steps they can take to avoid falling victim to them.
Phishing and Other Forms of Social Engineering
Social engineering involves the use of psychological manipulation to infiltrate an organization or private network by tricking unsuspecting users into handing over sensitive information or granting access to restricted areas of the network. Social engineering uses human traits against us, such as the fear of getting in trouble, the desire to avoid causing an inconvenience, and the drive to be helpful. Social engineering may also rely on trust, where the attacker impersonates someone we trust, such as our bank or our boss, in an attempt to get us to perform actions we normally wouldn’t.
One of the most common forms of social engineering is the phishing scam, when a cybercriminal or other type of malicious actor attempts to trick potential victims into revealing sensitive or confidential information (such as passwords or banking information), or installing malware by clicking on a malicious link or opening an infected file.
Organizations can help safeguard themselves from phishing emails by investing in cybersecurity education and training and teaching workers how to spot potential phishing scams. Workers should also know to whom they should forward suspicious messages. When in doubt, it’s always best to take the time to verify a request independently, such as by calling your boss or your bank directly to clarify what they are asking, and ensure that the request is actually coming from them.
Malware and Ransomware
Malware refers to any form of malicious software. The goal of malware is to infect endpoints such as smartphones, laptops, and tablets to gain access to sensitive systems or private data, and relay this information back to the attacker. Malware is often spread using infected email attachments and suspicious website links, and is a common factor in phishing scams.
Ransomware is a form of malware that prevents end-users from accessing an organization’s or individual’s systems or data. The ransomware does this by encrypting the files or system and locking legitimate users out until a ransom is paid, typically in the form of cryptocurrencies. However, even if an attacker promises to restore access once money has exchanged hands, this isn’t always the case; some files and systems may remain inaccessible or become damaged during the attack.
One of the best protections against ransomware is regular backups. Computer equipment such as endpoints and servers can be replaced, and systems that are backed up regularly can be rolled back with minimal data loss. This approach allows impacted organizations to simply ignore the demand and circumvent the lockout, all while disincentivizing future attacks against both their particular organization and other organizations by removing the financial incentive.
Credential Stuffing
Credential stuffing involves using previously compromised username and password combinations to attempt to gain access to restricted systems. These compromised credentials are stored in existing databases and are typically collected during previous breaches. These stolen credentials can either be gathered by criminal organizations for future use, or may be purchased from other criminals on the dark web.
The dark web is a portion of the internet that is not indexed by search engines such as Google, so unlike the mainstream internet, it can’t be accessed by simply typing a URL into your browser. The hidden nature of the dark web has made it a haven for criminal activity, allowing cybercriminals to buy and sell illegal items such as credit card numbers, username and password combinations, illegal weapons, and even malware as a service without being observed by law-abiding internet users.
You can find out if your username and password have been compromised using https://haveibeenpwned.com/. If your credentials have been compromised, you should rotate your password immediately. To help limit access and mitigate the damage if your credentials are compromised, you should use strong passwords (or consider investing in a password manager) and never reuse passwords across multiple sites or services. Employees should also never use their work emails for any non-work-related sites or services (such as Facebook).
Man-in-the-Middle Attacks
Man-in-the-middle attacks involve intercepting sensitive data and traffic. This scenario involves three players: the victim; the entity the victim is trying to contact (such as their bank); and the cybercriminal, who intercepts the victim’s communications without the victim knowing.
Man-in-the-middle attacks work similarly to phishing attacks. A common scenario involves the victim receiving an urgent or otherwise alarming email from an entity they trust (their bank, for instance) demanding they take immediate action or suffer consequences. Panicked, the user clicks on the link, which takes them to a website that looks nearly identical to their bank’s actual website, where they enter their login credentials. However, the website they visited does not actually belong to the bank but is instead operated by the cybercriminal, to whom they have just inadvertently handed over their banking details.
This scenario can take many similar forms, such as “your boss” asking you to use the provided link to purchase office supplies or “your IT department” telling you that your credentials have been compromised and asking you to reset your password. In this scenario, the best course of action is to independently verify the request through a different mode of communication. This could involve picking up the phone and calling your bank, walking down the hall to your boss’s desk, or calling the IT department directly. The entity on the other end will then verify that the request (or not). Employees should also know to whom they should forward suspicious emails so that your security team can investigate the incident further and issue a company-wide warning if appropriate.
Supply Chain Attacks
Supply chain attacks occur when attackers target an organization’s systems via a compromised third-party resource. A famous example of a supply chain attack is the SolarWinds attack. In this example, the attacker was able to gain unauthorized access to a SolarWinds program called Orion, which many organizations, including several US government departments, rely on to manage their IT resources. Attackers were able to insert malicious code into a routine Orion update, which SolarWinds then sent out to their clients without realizing their code had been compromised. This malicious code then allowed attackers to access client systems.
As with the SolarWinds attack, the compromised third-party vendor is generally not the final target but, instead, a means to access sensitive client systems. In the case of SolarWinds, the attacker knew that highly security-conscious organizations such as the US government wouldn’t think twice about downloading an update from SolarWinds, whom they had an existing IT contract with. The attackers then exploited the target organizations’ trust in SolarWinds to trick users into downloading malicious code.
Supply chain attacks are particularly devastating because the damage is not limited to intended victims but will, in fact, impact any organization that inadvertently downloads compromised software.
Concrete Steps You Can Take to Improve Your Organization’s Security Posture
Keep All Software Up to Date
One of the easiest steps you can take as soon as you finish reading this article is to check and ensure your software is up to date on all your devices and remind your co-workers or employees to do the same. This will allow you and the rest of your organization to take advantage of any security patches that have been issued since your last update and eliminate known vulnerabilities in your security posture that attackers might seek to exploit.
Conduct Security Audits Regularly
What gets measured gets managed. Regular security audits allow your organization to periodically assess your security posture and identify any weaknesses or deficiencies so they can be addressed. Organizations that don’t have an in-house cybersecurity team may want to consider hiring an experienced cybersecurity partner to assist with this critical task. Our experts will assess your current cybersecurity posture and provide concrete and actionable recommendations. Should your organization be targeted by cybercriminals, our team can also help you fend off an attack in progress and do a deep dive after the fact to identify the root of the problem so that it can be rectified.
You should also be regularly auditing individual programs and services as well, such as your Microsoft 365 environment, to ensure that you aren’t leaving your organization vulnerable and remain compliant. Too many programs default to insecure settings.
As part of your security audit, you may also want to conduct a PEN test. PEN (penetration) testing involves hiring an ethical hacker to stress-test your defenses and identify vulnerabilities and weaknesses before cybercriminals can exploit them. Once the test is complete, the hacker will sit down with your team to review their findings and offer advice on steps your organization can take to improve your security posture.
Reduce Opportunities for Human Error
Reducing opportunities for human error is a small security step that offers a big payout. Taking steps such as restricting access to critical systems and sensitive data on a need-to-know basis and ensuring that employee credentials are revoked as part of your offboarding process are both simple steps that can dramatically reduce your attack surface. Dormant employee accounts are ripe for exploitation since the system assumes those credentials are being used by a trusted and carefully-vetted user, and departed employees are not going to be regularly logging into accounts they no longer use.
You should also consider investing in software and hardware that makes acting securely the default, which can reduce or eliminate human error.
Insist on Strong Passwords
Insisting users employ strong passwords makes it much harder for unauthorized users to guess passwords. Section 5.1.1.1 of the NIST password guidelines offers excellent advice on setting strong organizational password standards.
To further improve your password security, you may also want to consider using a password manager. Password managers work like a book of passwords, where only the user has the master key. Passwords stored in the password manager can be randomly generated, and most password managers automatically flag reused passwords so that users know the password they are using isn’t unique and can update it accordingly. Some password managers even tie into https://haveibeenpwned.com/ and will alert users if a particular username and password combination has shown up in their database of compromised credentials.
Cultivate a Company Culture that Values Security
Security is everyone’s responsibility, but lower-level workers are more likely to value security if they know that upper management values it as well. By modeling good security practices and ensuring that everyone from the CEO down is undergoing regular cybersecurity training, you can help ensure that security remains top-of-mind. Regular security training not only ensures that all employees are up to date on any policy changes, but it also gives them an opportunity to ask clarifying questions or raise concerns.
As part of your ongoing cybersecurity training, you may also want to consider running tabletop scenarios. Tabletop scenarios work like security fire drills, allowing employees to work as a team and test their skills and knowledge in a no-risk environment. During the exercise, employees are presented with a hypothetical scenario, such as a ransomware attack, and then are asked to find a solution to address the situation and minimize or even prevent damage. Once the exercise is complete, the team reviews their performance and identifies any issues they encountered. Tabletop exercises also help to assess your current policies and protocols and gauge how effective they will be should an actual incident occur.
Cybersecurity training should also be offered as part of your onboarding process so new hires have the skills and knowledge they need to help secure your organization from day one.
Call in the Experts
And finally, partnering with an experienced security provider can help improve your security posture and identify ways to minimize or eliminate human error. A good security expert will assess your current security posture and suggest concrete and actionable improvements. They will also be able to help your organization respond swiftly and effectively to an incident should your organization be targeted by cybercriminals and help you fortify your posture going forward to improve security.
Not everyone is a cybersecurity expert, and that’s certainly fine! The experts at Infracore are here to help. We offer a wide range of cybersecurity services, including network security, multi-factor authentication, Microsoft 365 security audits, and user education and training to help ensure your organization is ready for anything. For more information, please contact our team today.