Cybersecurity threats are constantly evolving, but one of the most persistent dangers comes not from machines but from human errors. Employees and users continue to be a weak link in cyber defenses, from unintentional mistakes to lack of action. These errors range from downloading malware-infected email attachments to using weak passwords.
A recent study found that over one-third (35%) of respondents in India experienced a cloud data breach last year, with human error being the top cause (52% in India, 55% globally). Even the most robust systems can fail due to simple human oversights. For instance, Uber fell victim to a data breach following a cyber-attack on Teqtivity, a software company that offers asset management and tracking services to the ride-hailing app. The perpetrators behind the breach, operating under the alias’ UberLeaks,’ posted confidential company information purportedly obtained during the breach on the hacking forum BreachForums.
Attackers didn’t use some fancy zero-day exploit. Uber forgot to renew its Transport Layer Security (TLS) certificate. This seemingly minor oversight led to the exposure of sensitive user data, highlighting the role of negligence in human errors.
Why are human errors so pervasive?
Human errors stem from two key areas – skill-based mistakes due to inadequate training and decision-based errors often involving malicious intent.
With sophisticated phishing and social engineering attacks, employees can unknowingly compromise security. Fatigue and stress contribute as overburdened staff are prone to mistakes. Carelessness with data handling or oversight in patching systems also has consequences. For instance, Toyota announced in 2022 that customer details may have been compromised over 5 years due to an exposed access key in their app’s source code. The breach occurred because a section of the source code for T-Connect, an app that allows customers to connect their phones to their cars, had been posted on a source code repository, GitHub, in December 2017. This code contained an access key for the server, potentially allowing unauthorized access to customer data for five years.
On the decision side, convenience often overrides security when people reuse passwords or share sensitive data for expediency. The sequence of events leading to the breach began with a seemingly innocuous act – an employee accessing a personal Google account on a work laptop. This compromised account provided the gateway for attackers to infiltrate Okta’s internal support system for managing customer tickets.
Leveraging stolen login credentials, the attackers could steal session cookies and tokens, granting illicit access akin to legitimate customer support agents. The breach evaded immediate detection and was first identified by external security researchers, taking Okta weeks to confirm the incident. Unfortunately, this was not an isolated occurrence, similar to a previous breach in 2022 involving a trusted third-party vendor. In both cases, human actions enabled the attacks that technology alone failed to prevent.
Human errors are not limited to conventional actions; they extend to how we interact with technology. An alarming example is the leakage of proprietary information by Samsung employees through ChatGPT, an AI-powered language model. Despite using AI for various tasks, improper use can lead to inadvertently sharing sensitive information. This underscores the need for strict controls and guidelines regarding technology usage within organizations to prevent data leakage through unconventional means.
Insider threats also loom from disgruntled employees seeking personal gain. It is important to note that insider threats are a significant concern worldwide, including in the APAC region. About 31% of all data breaches globally were caused by insider threats, that is, a contractor or an employee. Here, emotions override logic, training, and skills.
A multi-pronged approach to address human errors
We can’t eliminate human risk – that’s unrealistic.
However, recognizing the complexity of human dynamics is the first step toward building robust defenses.
While technology can protect us, it is difficult to simplify human nature into rules and procedures. People are complex, driven by diverse motivations, and make decisions based on complex cognitive processes. What may seem a clear security violation to one person could be justifiable to another, depending on personal circumstances or viewpoints. The unpredictability of human behavior makes addressing insider threats a unique challenge. Though technical controls are imperative, they must be coupled with fostering an ethical, transparent culture where employees feel valued and psychological influences are considered.
To mitigate human errors, organizations must take a multifaceted approach. This includes investing in comprehensive training programs, implementing robust security policies and procedures, promoting a culture of cybersecurity awareness, and ensuring that employees understand the consequences of their actions. Technology, while essential, cannot replace human vigilance and responsibility when it comes to cybersecurity. Organizations must ingrain secure practices into everyday behaviors and processes as threats evolve.
The way to do it is by creating a foundation that promotes a cyber-secure culture. This cultural shift ingrains security considerations from the design phase of systems and processes, extending to everyday behaviors. Security awareness should be integral to every employee’s role, emphasizing the collective responsibility to safeguard sensitive data and information.
Embracing a ‘Zero Trust’ approach is crucial, where nothing is trusted without verification – not even inside the network. The “when zero is better than 1” principle emphasizes validating and authenticating all users and devices, irrespective of their location, before granting access. This approach minimizes the risk of insider threats and lateral movement by cybercriminals.
Train, Retrain, Repeat
Addressing the lack of knowledge and awareness is just as essential. Regular, comprehensive cybersecurity training programs can equip employees to recognize and respond to threats effectively. These programs should cover identifying phishing attempts, safe web browsing, and best practices for data protection.
Organizations must continually assess the effectiveness of their cybersecurity measures. Tracking key metrics, such as reducing malware incidents and policy violations, is vital. Additionally, collecting qualitative feedback from employees on the relevance of security awareness content assists in tailoring programs to address specific needs. When combined with quantitative metrics, this data enables insightful analysis to refine and target training for maximum impact.
With proper knowledge and motivation, people can become one of the most powerful protections against cyber threats.
While not perfect, strategic human-centric planning and cultural resonance provide the best safeguard against the most unpredictable cyber variable – us.
Mitish Chitnavis is a CTO at iValue InfoSolutions.
Image Source: Freepik