Security breaches from human error: Why you can’t patch people

July 24, 20174 Minute Read

Select article text below to share directly to Twitter!


Snapchat. Home Depot. The City of Calgary. What do these three entities (and countless other organizations) have in common? Data security breaches from human error, unfortunately. Each one of them faced expensive incidents as the result of simple employee mistakes.

Information security studies, based on massive open-source information (OSINT) data sets, continually demonstrate that about 62 percent of security breaches today stem from employee error. Organizations tend to worry about the bad guys—the wolves, if you will. But what about the occasional disgruntled employee? The one who might deliberately commit sabotage.

These security incidents do happen. They’re not necessarily your biggest risk—if you want to get statistical about it—and it may seem like controlling against employee mistakes would be one of the easiest aspects of contemporary information security. But that’s not even close to being accurate. If people are anything, they’re unpredictable. When you put technology in their hands, they’re just one click away from disaster.

Human error in 2017: Same old story

One very recent and massive report on information security, the annual Verizon Data Breach Investigations Report (DBIR), revealed that in the last year, human error-attributed incidents involved familiar mistakes: emailing or delivering sensitive data to the wrong person, publishing errors, data disposal, programming errors, malfunctions, gaffes, data entry, etc. Here’s the really embarrassing part: In 76 percent of the cases cited in the Verizon report, a customer pointed out the error.

In nearly any breach, there’s a human failure somewhere in the chain. An incident categorized as malware, for instance, could be due to an employee breaking policy or failing to update a patch. When you look at security incidents as a product of human failure instead of the direct result, this issue is even more mind-boggling. Nearly every security incident ever results from some employee doing something careless.

If you’ve got a seriously disgruntled employee who’s out to steal secrets, a data security incident might be their fault, and the incident would be categorized as malicious insider action. But isn’t it also the fault of the employee who failed to remove the sensitive document from the printer tray in the first place?

Predicting the unpredictable

Your organization can’t run patch updates on your employees. As an IT pro, you’ve heard the credo that “security awareness training” is important countless times. Chances are, you’re required to run training to comply for regulatory reasons. But honestly, does security awareness training actually work?

Unless all of the thousands of organizations getting fixed are out of compliance, maybe training isn’t enough. One study revealed near-total improvement in human response to phishing simulation after five exercises. However, you’re still dealing with complex and unpredictable humans. Training can’t account for when employees are in a hurry, exhausted, or hangry because they’re late for lunch.

The smartest approach is likely to combine human with technical safeguards—smarter software plus lots and lots of training. The potential for people to make mistakes should be a security focus when you’re shopping for new apps, configuring new software, and designing homegrown software applications. By making it as hard as possible for people to misdeliver or publish sensitive data with your technology, you could shrink your attack surface significantly.

1. Don’t expose sensitive data

One of the basic principles of information security involves granting every individual in your organization the least amount of access they need to do their job. While your apps might not let users log in and view sensitive data, understanding other areas of possible exposure is important. Take printed hard copies of sensitive information, for example. How often do people let print jobs just sit in the tray? Using secure print technology that requires at-printer employee authentication via badge or PIN is one smart way to protect your sensitive data from internal mistakes.

2. Take policy-based administration and run with it

Implementing policy-based administration everywhere possible can safeguard against the misdelivery trend in human error and other raging risks. By forcing employees to confirm they’re indeed trying to send an attachment to an external party, or turning off external auto populate for email addresses, you can reduce the chances that someone gets recipients mixed up. Using the data from industry-wide reports and your own internal security incidents can be a powerful tool for revealing where you need to shop for smarter software or update your policy-based administration.

3. Use humans to protect against humans

Your marketing department runs on tight deadlines. But that doesn’t mean your intern needs full publishing power to your external CMS. The same goes for your developers: You’re short on QA testers and skilled devs, but should someone have full execution control over your code? Today’s IT pros need to gain executive buy-in and collaborate with HR to establish smarter workflows and processes that reduce risks.

Make it easy to do the right thing

The human risks of information security aren’t necessarily shrinking, especially as wolves and hackers continue to study organizations and people to identify areas of vulnerability. As an IT pro, your job is to make it as hard as possible for mistakes to happen. With a combination of smarter training and simulation, better applications and printers, and really great policy-based administration you’ll make it much easier for your people to do the right (and secure) thing.

  • Recommended for you
  • Recommended for You