Through its research on the Psychology of Human Error, Stamford University released a report that showed human error was the cause of 88% of cybersecurity data breaches. That study was released in 2020, so how do the numbers compare now?
The 2023 Thales Global Security Study of nearly 3,000 companies - found that at 55%, human error is still the leading cause of data breaches, with the exploitation of vulnerabilities being the next biggest cause ( 21%). The report also found that only 49% of enterprises had a formal ransomware response plan in place, while 67% had reported data loss from ransomware attacks.
Of course, human error doesn’t just put data at risk. Errors can result in regulatory fines, productivity losses, lawsuits, negative impacts on brand reputation, and potential ransoms to cyber attackers. The global average cost per data breach amounted to $4.45 million this year – an increase from $4.35 million in the previous year.
How Human Errors Can Put Data at Risk
Here are a few examples of how mistakes have put data at risk.
This year both Caesars Entertainment and MGM Resorts both fell foul to social engineering attacks. Cyber attackers bragged that it took 10 minutes to infiltrate MGM Resort’s system after identifying an MGM tech employee on LinkedIn and calling the company’s support desk. It resulted in hours of delays for guest check-ins and crippled electronic payments, digital key cards, slot machines, ATMs, and parking as well as taking down the mobile website and app for four days.
Lapses in data security protocol led to two highly publicized data breaches within the Police Service of Northern Ireland (PSNI) this year. The first saw the names and roles of 10,000 officers published online when information was accidentally included in a response to a freedom of information request. The second breach was reported a day later and concerned the theft of a spreadsheet with the names of 200 officers and staff.
The rise in Shadow IT has also led to data breaches – after all, if IT doesn’t know what employees are using in the cloud they can’t secure them. One example of this was the case of Insight Global, which was managing Covid contact tracing in Pennsylvania. Some employees had set up and used Google accounts for sharing information in an unauthorized collaboration channel leading to the potential exposure of the personal data of thousands of Pennsylvania residents. In another example, JP Morgan Chase employees failed to comply with record-keeping legislation, using WhatsApp to communicate sensitive data. As a result, the company received a $125 million penalty from the Security and Exchange Commission (SEC) and a further fine of $75 million from the Commodity Futures Trading Commission (CFTC).
Data breaches don’t always occur online. After four SSD disks went missing from an SAP data center in Germany, one of the disks was later discovered on eBay. It was purchased by an SAP employee and found to contain personal records of over 100 SAP employees. An investigation found that the disks had been stolen and human error and process failure contributed to the loss. In another widely reported case, Morgan Stanley was fined $35 million by the SEC when an IT asset disposition vendor failed to correctly clean data from assets during a data center decommissioning project.
A Growing Threat
It’s not just the cost of data breaches that is rising, but the size of attacks. At the start of this year, the World Economic Forum released a report that revealed 93% of cybersecurity experts and 86% of business leaders believe global geopolitical instability is likely to lead to a catastrophic cyberattack in the next two years.
This unease was echoed by the Proofpoint Voice of the CISO report released earlier this year. It found that most CISOs have returned to the elevated concerns they experienced earlier in the pandemic, with 68% feeling at risk of a material cyberattack, up from 48% the previous year. A higher proportion (76%) of respondents to this study also feel their organization is unprepared to cope with an attack– compared to 65% the previous year.
Given this rising threat it’s in every company’s best interest to restrict the potential for human error and strengthen cybersecurity. So, what can they do?
Limit the Impact of Human Error on Cyber Security
Here are a few things you could consider to limit the impact of human error on cyber security:
Educate users on phishing and other social engineering tactics: Cyber attackers are constantly evolving their tactics and are now taking advantage of tech such as AI to help them. It’s important to keep on top of the latest techniques and share them with employees. Stamford University says it’s important not to shame employees who make mistakes, with its report finding that younger employees are five times more likely to admit to errors. However, the report also found that younger employees are more likely to click on a phishing email at work.
Identify Shadow IT and Educate Communicate Policies: If you haven’t put in place a formal policy around the use of SaaS in the workplace, then do so and communicate it to employees. Run regular audits of your environment to identify Shadow IT and who is using it and make decisions on what can be supported and what must be added to the ‘no go’ list and communicate this to end users.
Remove security permissions promptly: Proofpoint’s report found that 84% of UK CISOs said employees leaving the organization played a role in a data loss event. It’s vital that the offboarding process is automated to reduce the risk created by a disgruntled ex-employee – including the risk of disrupting services. This happened when a former Cisco employee was able to connect to Cisco’s AWS-hosted system five months after he’d left the company and deleted virtual machines powering Cisco’s WebEx video conferencing service. More than 16,000 WebEx Teams accounts were shut for up to two weeks costing Cisco around $1.4 million in employee time and over $1 million in customer refunds.
Bolster Security Policies: Ensure checks are in place to limit the chance of data-bearing equipment or other assets being removed from data centers or other buildings and consider investing in asset tracking capabilities. Also, ensure that data-bearing equipment is clearly marked as such so that ITAD vendors know how they should be managed. Make sure that within the process you incorporate confirmation from vendors that assets have been disposed of appropriately.
Get Your Tools to Work Together
Each of these steps takes considerable time and ties up resources. This is because data is typically held within the myriad tools, point solutions, and systems of record, all of which do not work together. This creates blind spots that can only be removed through manual efforts and a mountain of spreadsheets.
There is a way to get tools working together so you can access the data you need and automate responses to what the data is telling you. That’s by using a digital platform conductor (DPC). A DPC connects to all your existing tools and then aggregates, cleans, and correlates the data they hold. This allows you to make informed business decisions and automate workflows to limit the chance of human error and the impact it has on the company.
Using a DPC you can:
- Augment discovery, observability, and monitoring tools to identify Shadow IT or track connected assets to identify missing assets.
- Automate IT asset lifecycle management workflows, from deployment through to disposal.
- Automate the offboarding process to remove the chance of ex-employees accessing and using company data or resources.
- Access up-to-date records for audit trails, including workflows managed by third parties.
Book a demo with ReadyWorks to understand how you can mitigate cybersecurity risks and costs for your enterprise.