The Human Factor: The Hidden Problem of Cybersecurity

Humans are a significant factor in data breaches. While cybersecurity is usually treated as a technology problem, the majority of data breaches are the result of human error.

The human factors in cybersecurity are actions or events that result in a data breach. These factors largely result from a lack of awareness, negligence, or inappropriate access control.

Human error, however, is not so easy to resolve. It is not as easy as changing a software product. There is always a reason why we make mistakes. The key is to understand why these mistakes were made and to find ways to avoid similar situations in the future. Knowing the steps to keep your data safe can keep your business afloat.

Phishing is a powerful method attackers use to gain access to an organisation’s assets. Attackers rely on this social engineering technique in a duplicitous attempt to trick an employee into revealing their credentials or running malicious software. Not only does it trick employees, but it also bypasses traditional filtering resources. Simply put, phishing easily catches employees off guard.

So why are employees so distracted

In high pace and high productivity companies, many employees are working long weeks. Add remote working into the mix, and you’ll find employees are filtering out the noise of home from their workload as well.

Cybersecurity is much more Than a Technology Problem

To address the human factor in cybersecurity, companies must first understand that people are an organisation’s strongest asset. When provided with the right tools and knowledge, individual capacity to protect against a cyber-attack is significant.

Is age a factor?

Many employers assume that younger employees would be less likely to open a link containing malware or phishing for information. That, however, is not the case.

Employees who grew up with the Internet, those ranging in age from 31 – 40, were the group most likely to click on a phishing email. 32% of these employees acknowledged they had erroneously followed a phishing email. Alternatively, only 8% of employees aged 51+ clicked phishing emails.

Does working in a high-tech Industry create higher awareness?

One might assume that involvement in high-tech and high-risk industries, like technology and banking, would bring greater security awareness.

Among the industries that face the most human error are technology and financial services. Employees in the technology industry were the most likely to click on links in phishing emails; 47% admitted to clicking phishing emails. 45% of employees in banking and finance also admitted to clicking phishing emails.

It’s notable that these are also the industries that expect to respond to emails quickly. 85% of tech employees and 77% of financial sector employees stated that the speed at which they are expected to respond to emails impacts how they filter and read emails.

If employees are expected to respond so quickly to emails that they are prone to clicking links containing phishing or ransomware links, that means they may also fear missing an important email. It stands to reason that these same employees sometimes open emails that they shouldn’t.

Humans don’t like things that impede their ability to get things done

When an employee is under pressure to get things done, taking the path of least resistance can feel like the right decision. Employees often look at things like Spam Filters, Firewalls, and Anti-Virus tools as annoyances. While they filter out the undesirable content, they also require extra steps and extra time.

Humans make decisions to achieve their goals. Sometimes these decisions put the organisation at risk. When implementing cybersecurity tools, understanding how your employees use the Internet and email is key.

 

 

88% of data breaches are the result of human error

 

When asked why they clicked phishing emails:

45% of employees indicated they were distracted’.

37% of employees indicated they were tired.

29% indicated they weren’t paying attention.

93% of employees indicated they are tired and stressed at some point during the working week.

57% of remote workers admit they are more distracted when working from home.

4 Steps to Reduce Human-Led Cybersecurity Risk

Evidently, cybersecurity and data protection require human buy-in.

Addressing the human element of data security requires the following four steps.

  1. Cybersecurity awareness training: Training and awareness programs introduce the real prospect of threats into your employees’ working lives. These programs often provide real-time simulations that demonstrate what a threat can look like, and how employees can react. Your business must commit to the continuous education of the workforce because the threat landscape doesn’t just stop evolving when your employee’s cybersecurity training is done.
  2. Access rights and privileges: While your employees might want continuous access to all your organisation’s files, this is a dangerous proposition. By implementing and maintaining policies that restrict file access, you can prevent data theft from the inside. Proactively offer employees access to the files they need to do their jobs well. When employees require access to new files, set a limit to the time they may access these files. File management systems provide these privacy settings, so this level of regulation is accessible to businesses of all sizes.
  3. Require regular data backups: By encouraging regular backup of data you are preventing data loss when disaster strikes. This is even more important now with remote working and increased use of cloud storage for sharing documents. Any backup solution must include data located in cloud storage.
  4. Encourage good cyber hygiene: Out-of-date software or unpatched software can offer attackers a gateway into your organisation. Keeping software and operating systems patched and cybersecurity software up to date is essential.