In the security industry, we hold the following words near and dear to our work:
“Humans are the weakest link in the security supply chain.”
Even companies with solid, well-built security standards are prone to human error. This is because humans are the most important part of information security and all humans make mistakes. According to CompTIA, 52% of security breaches are due to human errors.
While we know human errors are the main reason for over half of all security breaches, most of them are unintentional.
All an attacker needs is an entry point into the organization’s network. If this is achieved by human error, then the security measures implemented to protect your data are of no use. A few major reasons for human vulnerabilities are:
- Lack of security knowledge.
- Failure to get up to speed with new threats.
- Failure to follow policies and procedures.
Lets take a closer look into the various elements of human error.
Security Policy Oversight
A robust security policy enables an organization to execute business safely. So, what happens when employees don’t follow these policies? I have seen incidents in which employees share sensitive internal data with others. I have also come across individuals who intentionally disable software updates when they are afraid that this corporate requirement will break their work.
Scenarios like these are ubiquitous and, for the most part, unintentional. Some of the most common reasons for people not to follow security policies include:
- Neglecting to read the policies since they tend to be rather lengthy.
- Misunderstanding the policies.
- Failing to remember the policies.
- Assuming that the policies don’t apply to them.
- Disregarding certain policies in order to get the work done.
Carelessness and Convenience
Carelessness and convenience are also major reasons for human error. When given a choice between convenience and security, the majority of people go with convenience. Scenarios include:
- Leaving computers unlocked and unattended while at work.
- Writing down login credentials on a sticky note and placing them in clear view.
- Plugging in portable devices to the company network.
Again, the primary drivers of these scenarios are people. People assume that the probability of their actions being exploited are very low.
Lack of Security Knowledge
A lack of security knowledge is still a serious problem that leaves many people vulnerable. For instance, if an employee knows what phishing is, (s)he will think twice before clicking that enticing link. The obvious reason for this insufficient knowledge is that employees don’t go through adequate security training. Thus, they don’t understand that their actions might have a security impact over the company.
Another reason is that employees don’t consider the importance of security knowledge even though they are aware of it. They think that it’s not their job to think about security. Why worry about security when there are security professionals who have them covered?
When someone walks into the office and says that they are a plumber hired by the company, in most cases, employees will just greet them and go about their daily schedules. Not many employees would question whether they really are who they say they are. Attackers manipulate this nature of humans and the results can be nasty. After all, that “plumber” now has access to any and every physical piece of your firm’s infrastructure in the office. They could just walk out the front door with a server—all because of faulty assumptions.
Though humans remain the weakest link in the security supply chain, there is no way to replace them. The best way to minimize and even prevent human error is by educating employees. Encourage them to understand the causes and repercussions of human error. Conduct periodic quizzes or similar measures to be sure that employees really do understand security policies in place. Conduct occasional security assessments to understand your firm’s security posture. This can help safeguard against human error. Then, you can reduce the severity of such errors and vulnerabilities by having strong data protection.
The Bottom Line
As with all vulnerabilities in the security world, human error can be minimized if not completely mitigated. Conducting red team assessments for your organization and building a methodology based on the results can keep these vulnerabilities in check.