close search bar

Sorry, not available in this language yet

close language selection

The greatest security vulnerability: Humans

Sakthi Mohan

Sep 14, 2016 / 3 min read

Table of Contents

In the security industry, we hold the following words near and dear to our work:

“Humans are the weakest link in the security supply chain.”

Even companies with solid, well-built security standards are prone to human error. This is because humans are the most important part of information security and all humans make mistakes. According to CompTIA, 52% of security breaches are due to human errors.

While we know human errors are the main reason for over half of all security breaches, most of them are unintentional.

All an attacker needs is an entry point into the organization’s network. If this is achieved by human error, then the security measures implemented to protect your data are of no use. A few major reasons for human vulnerabilities are:

  • Lack of security knowledge.
  • Failure to get up to speed with new threats.
  • Carelessness.
  • Failure to follow policies and procedures.

Lets take a closer look into the various elements of human error.

Security policy oversight

A robust security policy enables an organization to execute business safely. So, what happens when employees don’t follow these policies? I have seen incidents in which employees share sensitive internal data with others. I have also come across individuals who intentionally disable software updates when they are afraid that this corporate requirement will break their work.

Scenarios like these are ubiquitous and, for the most part, unintentional. Some of the most common reasons for people not to follow security policies include:

  • Neglecting to read the policies since they tend to be rather lengthy.
  • Misunderstanding the policies.
  • Failing to remember the policies.
  • Assuming that the policies don’t apply to them.
  • Disregarding certain policies in order to get the work done.

Carelessness and convenience

Carelessness and convenience are also major reasons for human error. When given a choice between convenience and security, the majority of people go with convenience. Scenarios include:

  • Leaving computers unlocked and unattended while at work.
  • Writing down login credentials on a sticky note and placing them in clear view.
  • Plugging in portable devices to the company network.

Again, the primary drivers of these scenarios are people. People assume that the probability of their actions being exploited are very low.

Lack of security knowledge

A lack of security knowledge is still a serious problem that leaves many people vulnerable. For instance, if an employee knows what phishing is, (s)he will think twice before clicking that enticing link. The obvious reason for this insufficient knowledge is that employees don’t go through adequate security training. Thus, they don’t understand that their actions might have a security impact over the company.

Another reason is that employees don’t consider the importance of security knowledge even though they are aware of it. They think that it’s not their job to think about security. Why worry about security when there are security professionals who have them covered?

Faulty assumptions

When someone walks into the office and says that they are a plumber hired by the company, in most cases, employees will just greet them and go about their daily schedules. Not many employees would question whether they really are who they say they are. Attackers manipulate this nature of humans and the results can be nasty. After all, that “plumber” now has access to any and every physical piece of your firm’s infrastructure in the office. They could just walk out the front door with a server—all because of faulty assumptions.

Possible preventions

When someone walks into the office and says that they are a plumber hired by the company, in most cases, employees will just greet them and go about their daily schedules. Not many employees would question whether they really are who they say they are. Attackers manipulate this nature of humans and the results can be nasty. After all, that “plumber” now has access to any and every physical piece of your firm’s infrastructure in the office. They could just walk out the front door with a server—all because of faulty assumptions.

The bottom line

As with all vulnerabilities in the security world, human error can be minimized if not completely mitigated. Conducting red team assessments for your organization and building a methodology based on the results can keep these vulnerabilities in check.

Live-fire exercises mirror potential actions of real-life adversaries.

Continue Reading

Introducing fAST Dynamic: Streamlining dynamic application security testing

Introducing fAST Dynamic: Streamlining dynamic application security testing

Vishrut Iyengar
By Vishrut Iyengar

Mar 19, 2024 / 3 min read

Tags: DAST, Software Integrity, Security News & Trends, Build Security into DevOps
CVE-2017-5638: The Apache Struts vulnerability explained

CVE-2017-5638: The Apache Struts vulnerability explained

Fred Bals
By Fred Bals

Mar 16, 2024 / 3 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain
2024 OSSRA Report: Outdated code risk in open source components

2024 OSSRA Report: Outdated code risk in open source components

Fred Bals
By Fred Bals

Mar 06, 2024 / 4 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain, Manage Security Risks

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security