Want to know a secret? That small fortune you invested in the latest cyber security kit may not be protecting you as expected. Despite adopting sophisticated cyber security technology, one simple human error is all it takes for the door to your organisation to be flung wide open to cyber criminals. Yet organisations repeatedly neglect investing in human factor cybersecurity. It’s an oversight that can leave your organisation exposed to a range of serious cyber breaches.
Think of it this way. You can protect your house by investing in the most sophisticated back-to-base alarm system. However, if you accidentally leave your front door open, that expensive alarm system isn’t going to prevent thieves entering your house and stealing your possessions.
In this guide we will explore the human factor necessary to achieving a strong cyber security posture. You will discover what is human error in computer security and how a range of simple errors by the people in your organisation may be undermining all your efforts to prevent cyber breaches. Executives have a duty to ensure staff are provided ongoing training to avoid these simple errors, so organisations can remain secure in the face of the rapidly evolving cyber threat landscape.
These are the top 5 human errors staff routinely make that need to be on your radar...
1. They either use a weak password or store it incorrectly
According to a recent study, a 12-character password containing only numbers can be hacked within 25 seconds. However, if the password consists of lower-case letters, it takes 3 weeks to hack. Better still, using a combination of lower-case and upper-case letters extends the hacking time to 300 years. And if you want to be really secure, including numbers and other symbols in the password will result in it taking a whopping 34,000 years to hack!
In other words, password strength is critically important. The longer and more complex the password, the harder it is for cyber criminals to hack their way in to your organisation’s network or applications.
But, how seriously do the staff in your organisation take password security? Staff now routinely need access to a wide range of applications. Those applications contain confidential information about your organisation, your customers and your employees. A data breach can result in crippling costs and long-term business disruption.
Unless your staff are trained in the importance of creating strong passwords, as well as appropriate password storage strategies (we are still shocked that some people write passwords on post-it notes and stick them to their computer), you shouldn’t be surprised if hackers crack passwords and gain access to your systems.
Staff also need ongoing reminders of the importance of password confidentiality, not using the same passwords to access multiple applications or systems, as well as the importance of regularly updating passwords.
2. Staff will use software that is outdated or not secure
As organisations take steps to strengthen their security controls, cyber criminals are realising that third-party software may offer the best route to breach a network perimeter. Every organisation relies on a range of software applications to run their business operations. Many of these applications are secure, however some may not be.
It’s essential to ensure staff have clear policies and guidelines when it comes to the use of third-party software.
Perhaps the most important rule is to ensure software updates are regularly run. Software vendors routinely release updates to patch bugs. However, if end users are not running those updates, they may be using vulnerable versions of software. It is estimated that as many as one in three breaches occur due to known vulnerabilities not being patched in a timely manner. So, make sure staff are running updates regularly and have not disabled auto-updates.
Another one of the most common causes of data security breaches is the use of shadow IT. This occurs when staff install applications without the knowledge or approval of your IT department. Shadow IT is known to give security teams serious headaches, as staff often download software that is insecure and exposes the organisation to potential breaches. Have clear rules in place in your organisation that require staff to obtain approval before installing new software.
3. Humans will carelessly handle data
The latest report by the Office of the Australian Information Commissioner (OAIC) clearly shows that carelessness is a major factor in data breaches. In fact, human error is responsible for 38% of all data breaches, second only to malicious or criminal attack.
Common examples of carelessness include:
- Sending personal information to the wrong recipient via email (45% of human error breaches),
- Unintended release or publication of personal information (16%), and
- Failure to use the ‘blind carbon copy’ (BCC) function when sending group emails.
Staff need clear policies when it comes to handling data in order to avoid security breaches caused by human error. This starts by ensuring your organisation categorises different types of data as being public, internal-only, confidential, or restricted. Each category should have guidelines that make it clear for staff how they should handle, transmit, store and dispose of data.
4. Staff have low security awareness
Cyber criminals understand that the weakest link in many organisations is human error within information security controls.
Staff that have low levels of security awareness are more easily deceived into clicking a link or opening an attachment in a malicious email. That one simple act can result in the installation of malware that opens an organisation up to attack. Systems may be encrypted pending the payment of a ransom. Critical corporate, financial, customer and staff data may be compromised. The costs, not to mention the downtime, can be crippling.
That’s why investing in greater staff security awareness is essential. It is one of the most important and cost-effective security initiatives your organisation can embark upon.
With an understanding of the difference between http and https, what clues to look out for in suspicious emails, and the risks in connecting personal devices to a corporate network, you will quickly find that most staff start acting in a more cyber secure way.
5. They let an unauthorised person access a company device
With so many now working remotely, it’s all too easy for staff to inadvertently risk your organisation’s security by allowing family members to use corporate devices.
Whilst this practice may seem innocent enough to your staff, the fact is that family members may unknowingly take certain actions that jeopardise your security controls. These can include installing unauthorised software, changing settings and configurations, downloading malicious files from the internet, not to mention accessing confidential corporate data.
Providing guidance to your staff about not allowing others to access corporate devices is essential. It should be made clear that these rules are not a reflection of the motivations of their family members, but simply a recognition of the reality that people may inadvertently undermine security controls. Likewise, it is essential that staff members do not share their device password with others.
How can Phriendly Phishing help?
When it comes to preventing any type of cyber attack, human error needs to be factored into your thinking. In this blog we have covered many examples of human error in cyber security.
The good news is that with appropriate staff training, it is possible to significantly reduce your exposure to cyber security risk due to human error. When your organisation is ready to mitigate the risk of human error and cyber attacks, contact Phriendly Phishing. Phriendly Phishing's security awareness course catalogue covers over 40 topics including:
- An Introduction to Information Security
- Handling Sensitive Information
- Information Security at Home and
- Laptop Security
Our staff awareness and training programs have been developed by leading industry experts who understand cyber criminals and the methods they use to take advantage of untrained staff. Our engaging and interactive modules cover all the essentials your staff need to know to help keep your organisation secure!
Contact the Phriendly Phishing team today for further information.