Humans are a significant factor contributing to data breaches. While cybersecurity is usually treated as a technology problem, 88% of data breaches are the result of human error.
Human Factor in Cybersecurity
The human factors in cybersecurity are actions or events that result in a data breach. These factors largely result from a lack of awareness, negligence, or inappropriate access control.
Regardless of the reason, the cost of human errors adds up. According to IBM, the average cost of data breaches from human error stands at $3.33 million. That’s a big expense that most SMEs can’t afford.
Human error, however, is not so easy to resolve. You can’t resign a ‘faulty’ workforce like you could a faulty software product. There’s always a reason why humans make errors. The key is to understand why the errors were made and to find ways to avoid similar situations in the future.
Admittedly, this may be more work than many small business owners feel they can handle. The rewards, however, are worth it. Knowing the steps to keep your data safe can keep a small business afloat.
The Pace of Work Contributes to Cybersecurity Breaches
Phishing is a powerful method attackers use to gain access to an organization’s assets. Attackers rely on this social engineering technique in a duplicitous attempt to trick an employee into revealing their credentials or running malicious software. Not only does it trick employees, but it also bypasses traditional filtering resources. Simply put, phishing easily catches employees off guard.
When asked why they clicked phishing emails, 45% of employees indicated ‘they were distracted’. 37% of employees indicated ‘they were tired’, and 29% indicated ‘they weren’t paying attention’.
The broad question is: Why are employees so distracted?
In an environment that focuses on high pace and high productivity, many employees are burning the candle at both ends. 93% of employees indicated they are tired and stressed at some point during the working week. Add remote working into the mix, and you’ll find employees are filtering out the noise of home (and often children) from their workload.
Not surprisingly, 57% of remote workers admit they are more distracted when working from home.
Cybersecurity: More Than a Technology Problem
To address the human factor in cybersecurity, companies must first understand that people are an organization’s strongest asset. When provided with the right tools and knowledge, individual capacity to protect against a cyber attack is immense.
There are a few things to note.
Age Does Not Equal Savviness
Many employers assume that younger employees would be less likely to open a link containing malware or phishing for information. That, however, is not the case.
Employees who grew up with the Internet, those ranging in age from 31 – 40, were the group most likely to click on a phishing email. 32% of these employees acknowledged they had erroneously followed a phishing email. Alternatively, only 8% of employees aged 51+ clicked phishing emails.
According to the report, older employees pride themselves on their closed networks and ability to make good business decisions. This older group is also thought to leverage their experience to detect when something doesn’t ‘feel’ quite right. Whereas mid-career employees may be more driven by fulfilling duty and meeting expectations.
Industry Doesn’t Guarantee Awareness
One might assume that involvement in high-tech and high-risk industries, like technology and banking, would bring greater security awareness. That’s why we shouldn’t make assumptions.
Among the industries that face the most human error: technology and financial services. Employees in the technology industry were the most likely to click on links in phishing emails; 47% admitted to clicking phishing emails. 45% of employees in banking and finance also admitted to clicking phishing emails.
It’s notable that these are also the industries that expect to respond to emails quickly. 85% of tech employees and 77% of financial sector employees stated that the speed at which they are expected to respond to emails impacts how they filter and read email.
Humans Fear Making Mistakes
If employees are expected to respond so quickly to emails that they are prone to clicking links containing phishing or ransomware links, that means they may also fear missing an important email. They don’t want to be slow or sloppy. It stands to reason that these same employees sometimes open emails that they shouldn’t.
Humans like to Get Things Done
When something stands in the way of progress, humans either concede defeat or circumnavigate the first line of defense.
Admittedly, neither choice presents a good security option for a business.
When an employee is under pressure to get things done, taking the path of least resistance can feel like the right decision. Employees often look at things like Spam Filters, Firewalls, and Anti-Virus tools as annoyances. While they filter out the undesirable content, they also require extra steps and extra time.
Does your organization require employees to check their Spam box for misfiled items? The truth is, many employees don’t. This human decision may be the reason your business misses emails and business opportunities.
Or, think of a firewall that prevents access to certain sites. The employees may wish to access a user forum that is deemed unacceptable by the company’s IT administrators. Even when warned, they may choose to proceed to the undesirable site. The firewall is a barrier to achieving their goal, so they ignore it.
Humans make decisions to achieve their goals. Sometimes these decisions put the organization at risk. When implementing cybersecurity tools, understanding how your employees use the Internet and email is key.
4 Steps to Reduce Human-Led Cybersecurity Risk
Evidently, cybersecurity and data protection requires human buy-in. Otherwise, human error will negate defense-in-depth technology.
Addressing the human element of data security requires the following four steps.
- Cybersecurity awareness training: Training and awareness programs introduce the tenable prospect of threats into your employees’ working lives. These programs often provide real-time simulations that demonstrate what a threat can look like, and how employees can react. These, however, are not a ‘one and done’ deal. Your business must commit to the continuous education of the workforce because the threat landscape doesn’t just stop evolving when your employee’s cybersecurity training is done. Admittedly this type of program takes time and resources, but it can be as simple as a 10-minute commitment a few times a month.
- Access rights and privileges: While your employees might want continuous access to all your organization’s files, this is a dangerous proposition. By implementing and maintaining policies that restrict file access, you can prevent data theft from the inside. Proactively offer employees access to the files they need to do their jobs well. When employees require access to new files, set a limit to the time they may access these files. File management systems provide these privacy settings, so this level of regulation is accessible to businesses of all sizes.
- Require regular data backups: By encouraging employees to regularly backup their data you are preventing data loss when disaster strikes. While this may be a hard policy to enforce while employees are working remotely, it remains a best practice. In many instances, devices can be set to backup to the cloud automatically. When relying on cloud storage remember that ransomware can take control of cloud services. Any data stored in the cloud should also be backed up to an external hard drive from time to time. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.
- Encourage good cyber hygiene: Out-of-date software or unpatched software can offer attackers a gateway into your organization. Encourage employees to update the software on their devices and to enable all available security features, such as firewalls and anti-malware. It’s an easy form of prevention and an important defensive layer.
Humans are Vital to Cybersecurity
Human resources are key to the cybersecurity of any business. When an organization is small, taking the time to understand what employees do, what they need, and how they react to cybersecurity tools can be the first line of defense.
Adding a layered approach to your business’s cybersecurity can provide the next line of defense and ensure that an attack is detected before it becomes a data breach.
To strengthen your SME’s approach to cybersecurity, consider your employees as a vital line of defense. With education, awareness, and reminders, humans will make informed decisions about what they click. Cybersecurity awareness programs, like our Cybersecurity Awareness Training, enable individuals to make strong cybersecurity decisions and reduce cyber risk in their workplaces.
While training humans is a big step in the right direction, combining education with technology is key. By investing in a cybersecurity tool powered by machine learning technology, you can equip your small business with a detection and response tool that alerts a team of professionals when phishing or erroneous links are clicked. Combining education with technology ensures that even when mistakes are made, they won’t destroy your business.
To learn more about building a human-centric approach to security with CYDEF, get in touch!