Almost all successful cyber attacks share one key factor - human error. An IBM Cyber Security Intelligence report stated that in 95% of security breach cases, human error was a contributing cause. An international study interviewing CISOs confirmed a proportionate agreement - human error is the largest cyber vulnerability.
There is an interesting, positive avenue to draw from such a stark statistic. 95% of all cyber security breaches could have been prevented if the workforce had been trained and equipped to do so.
What is human error?
Simply put, human error refers to unintended actions - or lack of action - from your workforce. These actions can lead to security breaches, and present themselves in a multitude of common mistakes - such as failure to update computer systems, using weak passwords, and falling victim to scams.
Whilst most businesses make use of some form of security software, protection can only go as far as the workforce utilises the systems. Cyber criminals often gain access to data through people - who act as an open door through complex security systems.
Most human error branches from improper training and lack of awareness. Naturally, reducing human error should be a key part of organisations’ cyber security strategies. Companies can do this by training their workforce. TryHackMe has a wealth of learning pathways tailored to the beginner, through to cyber security professionals in offensive and defensive fields.
An increasingly prominent issue
Whilst human error has been a consistent threat to cyber security, the increase of homeworking and resurgence of various cyber attacks have added to the issue. Remote employees forego oversight from IT teams - which cyber criminals prey on to achieve successful breaches. With the pandemic causing companies to work from home, the need for workforce security awareness has never been greater,
Some of the most common mistakes reported are:
Phishing scams refer to the process of stealing confidential information from users, by acting as a trusted individual or third party. Phishing can come in the form of clicking an attachment, enabling macros in files, updating passwords, or using unsecured connections. According to a Verizon report, 90% of confirmed phishing email attacks took place in environments using Secure Email Gateways. Knowledgeable staff could have helped prevent this.
It’s noted that finance, social media, and saas industries are affected the most by phishing scams, yet globally 75% of organisations have experienced a phishing attack in the last year alone.
This can seem like an outdated one, but studies show a huge percentage of passwords are “123456” - across platforms. Employees are often required to work across an extensive set of platforms which all require login credentials. It can be easy for employees to become lazy, and it can be an easy in for hackers.
Lack of software updates
Cyber security is a consistent, ever-needed and ever-evolving practice. The people behind the devices and software you use are consistently working to patch and protect any vulnerabilities to systems. When doing this, they issue software updates. By not updating software, users are vulnerable to attacks.
Arguably the most famous example of this is the 2017 Wannacry ransomware attack. The attack was estimated to have affected approximately 230,000 devices over 150 countries, with damages costing hundreds of millions of dollars. The exploit used in this attack had been patched months before by Microsoft. If users had updated their devices this outcome would have been avoided.
Poor access control
A regular human error regarding cyber security is improper access control. The more access individuals have to company files, the more access successful attackers will have. Employees should only have access to files and software needed to do their job well - which lessens the significance and breadth of potential breaches.
Mitigating human error
A Capita case study interviewing 524 breached companies reported the average breach cost was 3.86 million USD, around 2.82 million GBP. When combing with the knowledge that 95% of breaches are caused - at least partially - by human error, it’s clear to see the path forward. The cost of cyber security training and a dedicated cyber team is naturally significantly lower, and can save businesses from detrimental results.
The entire workforce should have a good level of cyber security understanding, including the basics such as password complexity and detecting phishing scams. It is important for companies to control privilege and oversight of important data. Only share the necessary information with each employee to ensure any risk of breach doesn’t spread further. Building a cyber culture whereby employees feel empowered to explore, learn, and report any threats is important to stay on top of risk.
The need for cyber security is growing at a rapid rate, and the workforce needed is lagging significantly considering the sheer risk of attacks on organisations. Investing in a team of cyber security professionals is crucial for the protection of businesses. TryHackMe was born to make learning cyber security as accessible and fun as possible. We have over 400 hands-on courses that are adaptable to your company needs, and offer team building development through training with our King of the Hill game - where players aim to compromise a machine and patch vulnerabilities to stop other players from gaining access.
Explore TryHackMe business training to offer customised staff training and reduce the risk of human error to your cyber security.