The latest Verizon data breach report suggests that “Human Error” is the primary factor for increasing cyber incidents year-over-year. According to experts, in 2021 and beyond, cybercriminals will unleash the fifth-generation cyber-attacks, while 97% of the world can protect itself only from second and third-generation attacks. Few reports suggest that cybercrime may now cost the world almost $600 billion, which is 0.8% of global GDP. Now, attackers are very sophisticated and targeted; they know how and where to launch their attack, lure authorized users and leverage user mistakes into launching the attack. Once successful, the attacker will perform lateral movement. Unfortunately, users often have no idea that they have become a bot and spread the attack unknowingly.
These sophisticated attacks might negatively impact the digital economy and make them more unstable on each successful attack. Every time it’s not hackers who put the organizations and govt entity’s data at risk, this is due to human error most of the time. Some of the biggest and most significant data breaches in top organizations and government agencies are due to human error.
Recently, a security breach at a water treatment facility near Florida has been reported posing a health hazard to around 15000 in the locality. The levels of Sodium-Hydroxide were manipulated, which could cause potential damage to public health. A security compromise in remote software controls deployed to operate the plant has led to this intrusion. Human error left remote control software in dormant or unattended mode with a weak password allowing the attacker to leverage this mistake, take control of the system, and increase the sodium hydroxide level beyond the safe limit. It put several people’s lives in danger.
This is not an isolated incident where human error has weakened security. There have been many other factors like lost hard drives, misconfigured databases, open access to cloud resources, no information of stale data, dormant data, overexposed permissions. Physical device theft leads to millions and millions of leaked personal and corporate data, sensitive data and intellectual property. Employee negligence is the factor that becomes the biggest cybersecurity threat for organizations, people make mistakes that are inevitable and some of these mistakes can be very costly.
During the pandemic, everyone in the world was forced to work remotely, making the human error problem a greater threat than ever. Now, this factor adds a significant impact to the overall risk posture. As organizations become readily dependent upon internet-enabled business models, they are more vulnerable and prone to a wide array of cyber-attacks and business disrupting challenges. A small mistake or human error creates a noticeable impact that could lead to news’s latest headline. Hence, this is the time to improvise and recheck the whole infra, assets, security policy before return to old normal.
Organizations must focus on bridging this gap and preventing such lapses and slips from taking place. That’s why Zensar recommends custom and tailor-made approaches to minimize such impact. Zensar has a robust framework that helps to find such gaps. Our highly skilled cybersecurity professionals follow the zero-trust model approach to make the customer ecosystem more secure.
Formal security training, mandatory InfoSec training, timely educating users via emailers, and security advisory is very important rather than reading out a list of dos and don’ts. Here are some useful tips that help to reduce human errors.
- Basic Hygiene: The only way a cybersecurity strategy can succeed is when organizations focus on basic security hygiene. It does not matter how well you configure your security controls; this will be moot until you have trained the users to use them. Many incidents arise because people don’t know what to do. Some human errors are decision-based, germinating from ‘the user doesn’t know, does not have information about the specific circumstances or is not even aware that they are unknowingly deciding with their inaction. For example, a single click on a malicious URL can control the attacker to open the back door and penetrate the corporate defense.
- Understanding of Risk: Create awareness among people to understand the risks of their actions (inactions). Help them to be mindful of their activities over the network and accountable for the same. For instance, they helped people know the risks of accessing sensitive data over an unsecured network.
- Critical thinking during an incident: This is very helpful, particularly when the incident occurs. Each employee should know how to react during the incident or cyber threat, which Infosec team members should reach where to report the incident and report the incident. For example, In case of suspected or phishing mail, never forward a suspected email to anyone, never provide your credentials, never open the attachment from an unknown sender, always make a zip of that email and send it to the Infosec team for further process.
- Identity management and access control: Poorly configured access roles and an unskilled workforce put the organization at a greater risk. Fixing human error is not just about prevention. As an organization facing a spike in cyber-attacks, mitigation is a top priority. This is the point where access control comes into the picture, especially the concept of least privilege.
- Zero Trust:Zensar believes that trust is a good thing and very effective to achieve meaningful collaboration between employees to build a healthy work environment, but when it comes to cybersecurity, trust takes the new dimensions. As per the Zero trust model, trust is interpreted as “Vulnerability.” As in cybersecurity, there is no invincibility, and hence, companies with the best cybersecurity systems and robust policies must continue to trail back and monitor every activity. Keep in mind that Zero trust is an approach as there are no such dedicated tools for zero trust. However, technologies like software-defined perimeter and secure web gateway help to implement zero-trust in a better way.
- Mandatory security training: As per the current threat landscape, cyber-attacks are dynamic and most of the time, hackers use novel approaches and special TTP. So, security training should not be a one-time event instead on a recurring timely fashion or on-demand basis. These frequent trainings aim to update employees with the latest cyber-attacks and recent developments in the cybersecurity industry, including new threats and preventive measures.
However, while training is important, the organization must focus on building cybersecurity awareness as a culture. So, the employees will understand the criticality and intuitively think about security first. Empower people with the latest information and skills. All in all, organizations should focus on the weakest link and integrating employees into their cybersecurity protocols to make them the strongest link.