Why Human Error is Major Threat to Cybersecurity

  • December 24, 2022
  • By Cyberarch Admin

Role of Human Errors in Cybersecurity Breaches

A data breach can be described as the unauthorised disclosure or leakage of sensitive and private information of a business organization. It can be achieved intentionally and unintentionally. Data breaches worldwide are on the rise and billions of records are breached every year. Moreover, global security costs due to data breaches are predicted to reach approximately 10 trillion dollars by 2025. 

One of the major causes of data breaches is human errors. While a quarter of data breaches were accounted to human errors in 2018, a recent IBM study attributes 95% of data breach incidents to one or other form of human error. 

Although making mistakes is an integral part of every human, data breaches resulting from it can be too costly. In addition, the human part of cyber security attacks has far too often been overlooked and needs to be studied. This is important so that the right solutions to the problem can be determined and human behaviour and the related knowledge, skills and abilities can be improved in the organization. 

Human Errors and Security Breaches

Cybersecurity generally revolves around three levels; organization, technology and humans. Therefore, in this context, human errors are defined as unintentional actions or lack of it by the employees of an organization that enables a data breach to occur. These actions can range from unknowingly downloading a malware-infected attachment, failing to use strong passwords to clicking on malicious links and not following the security policies, etc. 

With the advancement of the digital ecosystem, there are myriad software, tools, services and technology which are now being used in an organization by employees. Countless usernames and passwords are created to use each one of them. Thus, the resulting cyber fatigue is also considered as one of the factor that leads humans to error. 

Cybercriminals often exploit human vulnerabilities to carry out cyber attacks and conduct data breach operations. Human behaviour or actions or errors directly contribute to vulnerabilities which make data breaches easier. Therefore, mitigation of human errors is important to avoid accidental data breaches.

When the threat actors target an organization intentionally, they often use social engineering tactics to retrieve data or credentials from the employees without using malware or other online means. This constant threat of cyber attacks also puts pressure on employees, causing them to make errors. 

Types of Human Errors in Cybersecurity 

Human errors in cybersecurity can be classified into three categories; Skill-based, Decision-based and Rule-based errors. Out of the three, the first two are considered the major human errors by experts. Find out more about them.

  • Skill-based Errors

The skill-based error consists of lapses or slips on the part of employees of an organization. It involves small and careless mistakes that happen while performing tasks and activities online and sometimes offline. In such cases, the user or employee is well aware of the rules and procedures which need to be followed, but, fails to comply with the regulations. 

  • Decision-based Errors

Decision-based errors happen when an employee takes a wrong decision. This can happen due to multiple reasons such as lack of knowledge, lack of skills or ability or perhaps not enough specific information to make the correct decision. 

Examples of Human Errors

Human errors can permeate all levels of a business organization, beginning from the user, system administrator, network and security managers, to policymakers and C-suite executives. An employee who is the end user may browse the web without following best practices which can lead to a malware attack or data breach. In this case, the action may be not intended to cause business risk such as a cyber attack but to achieve some personal outcome. But it may violate the guidelines laid down by the security and IT team.

In other instances, professionals in the network team may make configuration mistakes leaving applications, systems and networks vulnerable to a cyber-attack or data breach. A 2021 Verizon report categorised human errors that lead to data breaches into Misdelivery, Misconfigurations, Publishing errors, Programming errors, loss etc. Some of the common ones are discussed here.

  • Misdelivery

Misdelivery is when data is shared with someone other than the intended person or sends something to an unknown destination. It compromises security and increases the chances of data breaches. According to Verizon, Misdelivery has been one of the top causes of data breaches. 

One example is the sending of emails using the auto-suggest feature. This opens up the possibility for an employee of an organization to share sensitive information with the wrong recipient. In one such case, NHS practice revealed the names and email addresses of people who visited HIV clinics. This is one of the types of skill-based human errors where the email was sent to all the HIV patients instead of using the “bcc” field. 

  • Password

Passwords remain one of the biggest problems that businesses face in an organization. Generic passwords such as 12345 or abcde are easy targets for cybercriminals. Another thing is that the same password is used on other platforms or services, which makes it more dangerous and vulnerable. Many employees make the mistake of sharing passwords with colleagues or write them up and leave them on the desk or store them in a desktop file. 

  • Patching

Different software used by business organizations is an unavoidable necessity today. However, users must keep them updated as and when they are available. Cyber threat actors are always on the lookout for vulnerabilities in the software and exploit them. If the users delay the installation of updates, they are putting themselves at risk. In many cases, companies like Microsoft and other software developers provide security patches regularly. However, the lack of installation leads to data breaches. 

Possible Solutions

  •  Cybersecurity Policies 

Cybersecurity policies should detail the processes and procedures that everyone in an organization must adhere to without compromise. It is important for the protection of data as well as to keep it confidential, available and valuable. 

Experts propose multi-level security policies such as security program policy that lays down strategy, planning, scope and approach of security efforts. The second one can be problem-specific policy such as the use of technology, devices, systems and email. The last level can be technical-based security policies like system configuration and maintenance. 

  • Privilege Control

Privilege control basically involves giving the necessary privilege to the right people alone and not everyone. It has multiple benefits such as only the concerned will be responsible for the data. Unnecessary human errors will not creep in and thus no opportunities for cyber threat actors will be made available. 

  • Password Management

As discussed before, passwords are a great risk, and thus keeping them away from end users can help. Password management software can be used for better management of passwords and to prevent them from being exposed. Plus, two-factor and multi-factor authentication are some other means to add an extra layer of protection. 

  • Culture

Creating a security-first culture can solve most of the problems related to cyber security and drastically reduce human errors and their role in breaches. Different approaches can be used to build a security culture. It includes awareness and training sessions for the employees, encouraging discussions, running campaigns within the organization, addressing concerns and education about the positive results it can accomplish for the individuals as well as the organization. You can also partner with security consultants or professionals to boost security awareness within your business entity. 




Recent Articles

Got hacked? Speak to our security consultant.

Get in Touch
Scroll Top