Solving the Problem of Human Error in Cybersecurity
When most folks think about cybersecurity problems at organizations, they often assume skilled black-hat hackers seeking valuable data and the chance to capture attention in the headlines did the deed. But there’s a rising trend of cybersecurity issues that result from mistakes humans make unintentionally.
Until companies tackle the human error issue, it’s challenging to make significant progress in improving cybersecurity by keeping out malicious infiltrators.
Human Error Causes a Substantial Percentage of Issues
According to one study, human mistakes cause 90 percent of cybersecurity problems.
Often, people are unaware the actions they take are wrong. An instance involving a former insurance company employee resulted in the person leaving the company in possession of a portable hard drive containing information about 44,000 customers, including their names, addresses and Social Security numbers. Three days later, the person returned the hard drive and signed a document affirming they did not use the breached data.
The event was presumably the result of simple human error, and it’s possible the individual hadn’t received guidance on what to do with company data before leaving the company or just accidentally walked out of the building with the portable hard drive in a bag.
Though businesses that use paperless record-keeping systems are often more secure than those that still rely on physical data collection and storage, this example shows just how easy it is for human error to put company data at risk, regardless of how you store it.
Mistakes May Tie Into Multiple Problems
The causes of cybersecurity incidents are often hard to pinpoint, both because they’re various and not isolated to only one shortcoming. For example, a 2016 theft of a company laptop used by an employee of the correctional system may have exposed the protected health data from up to 400,000 inmates who served time in California prisons during an 18-year span.
Although the laptop had password protection enabled, the data contained on the machine was unencrypted. Also, the theft happened when the laptop was unattended inside a company vehicle. So, while one could argue the user should have carried the device at all times instead of leaving it in a car, so, too, should the company have encrypted the content.
Companies Know Employees Are Cybersecurity Threats
The results of a poll about companies fears related to cybersecurity found 52 percent of respondents admitted employees are their most significant cybersecurity risks. But, things get complicated beyond that, due to a variety of worries about mistakes employees might make while at work that could compromise cybersecurity.
Among the most pressing concerns were inappropriate sharing of data across mobile devices, theft or loss of portable gadgets and employees using IT resources in unauthorized ways. So, if companies already feel overwhelmed by the challenges inadequate cybersecurity poses, they may balk at implementing policies if they don’t know what to tackle first.
Fatigue Makes Cybersecurity Issues Worse
Automation could also help stop problems such as emails inadvertently sent to the wrong people, with the sender realizing the blunder seconds after it’s too late to do anything about them. Most people can relate to being tired and making email-related mistakes, but those errors become serious when involving sensitive, wrongly distributed data.
Research showed 88 percent of Medicaid data breaches in 2016 happened when people gave the wrong individuals access to data due to misdirected communications via regular mail, email or faxes. The material could arrive at the wrong physician’s office, for example.
There is also another worrisome type of tiredness known as security fatigue. It happens when people feel so burdened by following cybersecurity procedures that they stop trying. In one survey, 63 percent of people reported feeling that way. Security fatigue alone does not fall under the human error category if people are aware of their lack of compliance, but it can complement mistakes.
What Can Companies Do to Solve the Human Error Problem?
When businesses evaluate how to stop their workers from making costly cybersecurity mistakes, they should start by gaining a better understanding of their workforce and where the problems lie. For instance, perhaps an organization recently instituted a bring-your-own-device policy, but hasn’t asked IT department members to inspect the gadgets for potential vulnerabilities.
Or, there could be a flaw in a business’s onboarding process, whereby a sizeable percentage of people are unaware the company has cybersecurity policies or how to get more information about them. An investigation involving 2,000 office workers in the United Kingdom found 30 percent of individuals did not know how to access their organization’s cybersecurity policies.
Encouraging employees to speak up with questions or concerns about a cybersecurity policy is also a good idea. If workers don’t fully understand the implications of not following the proper procedures, they might not think security-related mistakes are serious.
Always Prioritize Coaching and Opportunities to Change
Some companies become so fixated on solving human-made cybersecurity issues that they consider enforcing extreme punishments for people who don’t follow policies or otherwise show carelessness about cybersecurity.
Disciplinary action is typically necessary in cases of intentional malice. But, the coverage here relates to unintentional errors. Then, the ideal process is to coach the wrongdoers about what they did wrong and give them tools to make positive changes for the future. Taking that approach builds cybersecurity into a company’s culture without making people fearful.
