It was an unfortunate situation that went from bad to worse. A few years ago, French television station TV5Mode was hacked. It had to go offline for a while due to disruptions of its email accounts, video editing, and use of the servers that send television pictures for broadcast.
One of the TV5Mode reporters went on live TV to be interviewed about the hack. In the background of the shot there was a sticky note with a bunch of scribbled writing. In plain sight for all the world to see was written the station’s logins and passwords for Twitter, Instagram, YouTube, and other sites. In a moment of irony, one of the passwords was “lemotdepassedeyoutube” which translates into “the password of YouTube.”
This may seem like an extreme situation but unfortunately, it is not. Keeper Security surveyed over 1,000 employees in various industries about their password-related behavior. Fifty-seven percent of survey respondents said they save their passwords on sticky notes. And if that’s not enough to keep you up at night, 49% save work-related passwords in the cloud and 62% share passwords by text message and email.
Why Human Error Plagues Cybersecurity
As the proverb goes, to err is human. Of course, we all make mistakes. But there is a big difference between mistakenly sharing your home’s WiFi with your neighbor and sharing your company’s passwords with them.
There are many reasons why humans make wrong decisions when it comes to cybersecurity. Most of them relate to not having enough information or a lack of awareness that they are causing harm. It is not intentional and could be as simple as wrongly using a work computer on public WiFi.
A key takeaway from Verizon’s 2021 Data Breach Investigations Report was that 85% of breaches involved the human element. The report found that “human error” was the cause of year-over-year increases in reported incidents of web application attacks, phishing, and ransomware.
It is a big issue that must be addressed by organizations since the average cost of human errors in cybersecurity breaches is $3.33 million according to IBM’s Cost of a Data Breach Report. The entertainment, public sector, and consumer industries had the highest percentage of data breaches that were caused by human error. It took companies an average of 239 days to identify and contain a breach that was caused by human error.
Social Engineering Plays on Emotions
Cybercriminals don’t play nicely in the sandbox of human emotions. They will take advantage of feelings of fear, sympathy, and curiosity to gain access to valuable digital assets. Social engineering is the term for using intentional psychological manipulation of people to get them to perform actions or divulge confidential information. Cybercriminals love to use social engineering techniques because they are much easier to execute versus hacking into a system.
ISACA’s State of Security survey of almost 3,700 global cybersecurity professionals found that social engineering is the leading cause of cyberattacks experienced by organizations. This is because it all comes back to trust. Humans, whether they are the CEO or admin, have inclinations towards who and what they can trust. If they receive an email from ‘a friend’ then their natural tendency is to click on it.
These are some common examples of where the human element of trust is leveraged in social engineering attacks:
- Phishing
- Spear phishing
- Baiting
- Malware
- Pretexting
- Water-Holing
Mitigating Human Errors in Security
The best way to fix human errors with cyber and cloud security is to start with humans themselves. Employees can be a company’s greatest asset in strengthening their security protocols. This is especially the case with more employees working remotely and having less oversight of their behaviors.
Employee training is a significant mitigating factor in reducing the total cost of a data breach and decreases the average cost of a breach by $238,019. But the problem is that training and enforcement are lacking across organizations with 24% of C-suites and half of small business owners reporting that they have no regular employee training on their information security policies or procedures.
Often employees receive a notice about completing their organization’s cybersecurity training. This is typically met with a collective groan and is often procrastinated until the last minute. Here are some ways to try to gain momentum with your approach:
- Share news updates: Send news of cybersecurity incidents that have happened at similar companies. So the news doesn’t go straight to the trash folder, include the article links in the IT team’s signatures and rotate them every month.
- Get reinforcement from the C-suite: Have your executives share with employees why cybersecurity is critical to the success of the company. Have this done verbally for more impact such as at town hall meetings.
- Make it fun: Recognize employees who report a suspicious email or other cyber threat with a reward such as a gift card. This practice encourages others to be alert and promotes a positive work environment. Build a line item in your cybersecurity training budget for the prizes.
Cyberlocke offers industry-leading IT services that support efficient and secure operations. To drive productivity, increase security, and improve business value. Let’s talk.
