In the security industry, we hold the following words near and dear to our work:
Even companies with solid, well-built security standards are prone to human error. This is because humans are the most important part of information security and all humans make mistakes. According to CompTIA, 52% of security breaches are due to human errors.
While we know human errors are the main reason for over half of all security breaches, most of them are unintentional.
All an attacker needs is an entry point into the organization’s network. If this is achieved by human error, then the security measures implemented to protect your data are of no use. A few major reasons for human vulnerabilities are:
Lets take a closer look into the various elements of human error.
A robust security policy enables an organization to execute business safely. So, what happens when employees don’t follow these policies? I have seen incidents in which employees share sensitive internal data with others. I have also come across individuals who intentionally disable software updates when they are afraid that this corporate requirement will break their work.
Scenarios like these are ubiquitous and, for the most part, unintentional. Some of the most common reasons for people not to follow security policies include:
Carelessness and convenience are also major reasons for human error. When given a choice between convenience and security, the majority of people go with convenience. Scenarios include:
Again, the primary drivers of these scenarios are people. People assume that the probability of their actions being exploited are very low.
A lack of security knowledge is still a serious problem that leaves many people vulnerable. For instance, if an employee knows what phishing is, (s)he will think twice before clicking that enticing link. The obvious reason for this insufficient knowledge is that employees don’t go through adequate security training. Thus, they don’t understand that their actions might have a security impact over the company.
Another reason is that employees don’t consider the importance of security knowledge even though they are aware of it. They think that it’s not their job to think about security. Why worry about security when there are security professionals who have them covered?
When someone walks into the office and says that they are a plumber hired by the company, in most cases, employees will just greet them and go about their daily schedules. Not many employees would question whether they really are who they say they are. Attackers manipulate this nature of humans and the results can be nasty. After all, that “plumber” now has access to any and every physical piece of your firm’s infrastructure in the office. They could just walk out the front door with a server—all because of faulty assumptions.
Though humans remain the weakest link in the security supply chain, there is no way to replace them. The best way to minimize and even prevent human error is by educating employees. Encourage them to understand the causes and repercussions of human error. Conduct periodic quizzes or similar measures to be sure that employees really do understand security policies in place. Conduct occasional security assessments to understand your firm’s security posture. This can help safeguard against human error. Then, you can reduce the severity of such errors and vulnerabilities by having strong data protection.
As with all vulnerabilities in the security world, human error can be minimized if not completely mitigated. Conducting red team assessments for your organization and building a methodology based on the results can keep these vulnerabilities in check.
Sakthi Mohan is a security consultant at Synopsys. She recently received her master's in computing security from Rochester Institute of Technology. Sakthi is an emerging security professional specializing in architecture risk analysis, Web application security, and network security.