Preventing Human Error in Information Security
Avoidable Mistakes and Essential Training
It is an unfortunate truth that no matter who we are, none of us are beyond making the occasional mistake. From the embarrassing typo, to something more serious, mistakes are always an opportunity to learn. When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.
According to research, somewhere between 90% and 95% of all cyber security breaches are as a result of human error. Statistics which will not come as a surprise to many information security professionals.
From ransomware attacks to serious data breaches, human error invariably plays a role in information security incidents. Yet it remains true that many organisations still fail to take into consideration this important factor when thinking about their information security strategy.
At a time when 4 in 10 of all UK businesses report experiencing cyber security breaches or attacks in the last twelve months, it is startling that 77% of UK workers have never received any form of information security training from their employer.
To help you and your organisation better understand, and thus mitigate the problem of human error, below is a comprehensive look at some of the most common forms of this problem, and more importantly, some of the steps you can take to prevent human error negatively impacting on your organisation’s information security.
What is Human Error in Information Security?
At its core, human error is simply unintentional action. These actions can range dramatically in their seriousness, ranging from inconsequential and perhaps even unnoticed, to extremely damaging, even to the point of presenting an existential challenge to an organisation.
Broadly speaking, human error is typically parsed into two distinct ‘types’; skill-based errors, and knowledge-based errors.
Beginning with skill-based errors, this form of error is thought of as minor lapses and small mistakes that occur when a user is performing familiar activities and tasks. Though a user understands how to perform these actions properly, due to inattention, distraction or negligence, they temporarily fail to follow correct procedure.
Conversely, a knowledge-based error occurs when an individual, for whatever reason, has not been provided with the information necessary to avoid such a misstep. Perhaps confronting a novel situation, with this type of error, a user may not even realise that they have made an error in judgement.
Common Forms of Human Error in Information Security
Though it may sound basic, the importance of maintaining a robust password process cannot be overstated. From reusing passwords across multiple accounts, to improper password storage, this form of human error is likely amongst the most easily mitigated.
As well as setting out a clear policy against the reuse or sharing of passwords and providing a reliable password management solution, also training users to generate strong and secure passwords is an essential.
It may come as a surprise to some, but in 2021, the most commonly used password is still ‘123456’ (closely followed by ‘12345678’); both of which would require a computer less than a second to crack.
Read More: How Secure is Your Password Process?
As outlined by the UK’s National Cyber Security Centre (NCSC), one of the most simple and effective methods of devising a good password is to combine three random words. For example, the combination of ‘optimistic/garment/wind’ would take somewhere in the region of four hundred billion years for cyber criminals to crack. A pretty big difference from a single second.
As one of the most common and recognisable forms of human, clicking on phishing emails can be an extremely costing and devastating mistake to make. From stealing user credentials and opening attached malicious software (such as ransomware), falling prey to a phishing email is not a matter to be taken lightly.
Relying on basic human instincts, such as curiosity and responding to urgency, malicious actors are continuously refining their methods and becoming more sophisticated in their operations.
Though many phishing emails will likely be caught by filters and other technological tools, those that do get through can often fool a user that has not been provided the knowledge to identify such a communication or take the necessary precautionary steps.
Read More: The Essential Anti-Phishing Training Guide
Inspecting links, double-checking details and avoiding the opening of particular file types is all simple and essential knowledge. Knowledge that can make a significant impact on reducing instances of human error and avoiding some of the most damaging forms of information security attacks.
Regardless of your industry, sector or region, all organisations handle some form of sensitive information. Whether it is confidential internal information, intellectual property or personally identifiable client data, a variety of precautions should be taken to uphold to confidentiality, integrity and availability of this information.
Evening something as simple as mis-delivery (sending information to an unintended recipient) can be a significant factor in causing a data breach, and was in fact ranked as the fifth leading cause in a 2018 Verizon report.
Furthermore, with legislation such as UK GDPR now making it possible for companies to be subject to increasingly substantial fines, ensuring that users and employees have the relevant skills and knowledge to avoid mishandling data is an area of information security that no organisation can afford to ignore.
Real Life Examples of Human Error in Information Security
British Airways – Incident Response Error
In a clear example of the dangers of avoidable human error, British Airways suffered an incident which resulted in the mass cancellation for flights, around 75,000 passengers being grounded, and a decline in passenger traffic of 1.8%.
The incident in question occurred when, at a data centre near London’s Heathrow airport, an overzealous engineer hastily reconnected a power supply, causing a power surge resulting in major damage to the airlines information technology systems.
Taking over three days to remediate and costing the airline an estimated £80 million in lost revenue and various compensations, this example of human error clearly demonstrates the necessity for organisations to closely examine the broad range of errors threatening the integrity of their information security.
Sony Hack – Phishing Error
Perhaps one of the most well-known information security attacks of the 21st century, which saw a huge cache of confidential company data released onto the web, likely came as a result of a targeted phishing campaign.
Costing the company an estimated $15 million and drawing the attention of the world’s media, the international incident is commonly thought to have been orchestrated by a state-backed hacking group. Though less well known is that many cyber security professionals believe that the incident stemmed from executives clicking on malicious and fake Apple ID verification emails.
Having harvested user credentials from their successful phishing campaign, the hackers then proceeded to gain access to the Sony network, wreaking havoc with a huge amount of extremely sensitive information. All as a result of users (who really should have known better) not recognising a fraudulent email.
Preventing Human Error in Information Security
Though there is no quick fix to all your information security issues, and no magic bullet that can eliminate human error entirely, there are several important steps that should be taken to help strengthen your organisation’s defences and enable users to guard against the wide variety of potential threats.
Creating a Secure Culture
Likely the most overlooked element of strengthening information security, is the internal culture of an organisation. In a secure culture, security is a consideration that is applied to all decisions and actions, with users actively aware, engaged and vigilant of the security issues that they will inevitably encounter.
From encouraging honest discussion, to regularly updated and relevant information being provided to users, creating a secure culture is about ensuring security awareness is a moment-by-moment element of all user action, and not just simply a matter of compliance.
Information Security Awareness Training
While there are many companies which provide some level of in-house training, specialised online information security training offers a variety of options for training, testing, and tracking your employees.
From detailed tutorials imparting the foundations of information security, interactive tutorials in which users put their education into practice, to simulated phishing campaigns, online information security training is increasingly the choice for organisations wanting to get serious about security.
These specialised online information security training features allow an employer to not only provide their staff with necessary training, but to also monitor users’ progress and demonstrate compliance. Giving an organisation the tools to help fight avoidable human errors and reduce their risk.
Hut Six Training
Featuring twenty-six comprehensive tutorials covering all aspects of information and cyber security, with Hut Six’s learning management system (LMS) employers can assess and track the achievements of staff and better understand areas for improvement.
Providing engaging, relevant, and bite-sized training, Hut Six’s awareness solution builds a security aware culture by focusing on achieving meaningful, behavioural change.
If you have found this guide to human error useful and you’d like to learn more about how you can protect and strengthen your business with unique and engaging information security awareness training
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Facebook Leak, Booking.com Fined & University Attacks - Infosec Round-Up April 9th
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021
Inside Attacker, FOREX Data Leak & NCSC Warning - InfoSec Round-Up March 26th
MoD Security, $4.2B Cybercrime Loss & Hacker Teen Sentenced - InfoSec Round-Up March 19th
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Uni Cyber Attacks, Security Camera Hack & Norwegian Gov Data - InfoSec Round-Up March 12th
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Malaysia Airlines Breach, SolarWinds $3.5M & PrisimHR Ransomware - InfoSec Round-Up March 5th
Security program policies blog by information security awareness training provider Hut Six Security.