It is becoming a widely accepted fact that human error is the root cause of most data breaches. However, the problem with this statement is that it raises more questions than it answers. After all, human error is the root cause of most problems.
To clarify what this means in relation to cyber security, below is the top five most cited examples of erroneous behavior that might compromise the integrity of our security posture.
1. Falling Victim to Phishing Scams
According to the 2019 State of the Phish Report, 83% of respondents experienced phishing attacks in 2018, an increase from 76% in 2017. Given that Phishing scams rely on naïve/unsuspecting employees to be successful, educating employees about how to identify such scams would be a sensible place to start. It is also advisable to send out mock phishing emails to staff members in order to evaluate the effectiveness of the training program.
Irrespective of how well we train our employees, mistakes happen, and so we must also ensure that we are using the latest tools and technologies, such as anti-virus/email filtering software to help capture certain eventualities.
2. Poor Password Practices
According to a recent poll, 59% of people use the same password everywhere, which means that if their credentials are compromised, the attacker might be able to use them to access other accounts, and thus more data. Some users still use easy-to-guess passwords, such as “abc123”, “password”, etc.
Many fail to store their passwords in a secure manner, and some even share their passwords with other employees. To help counter such practices, a strong password policy must be enforced, passwords should be rotated regularly (although not too regularly) and employees should be encouraged to use a password manager such as LastPass, Keeper or 1Password.
As always, training should be provided to all employees to ensure that they understand the implications of failing to keep their passwords secure, and possibly include security hints when they login.
3. Allowing Unauthorized Access to Company-Issued Devices
According to the 2018 User Risk Report, 55% of employees allow friends and family members to access their company-issued devices at home. While it is unlikely that your friends and family will be snooping around for sensitive data, they may inadvertently install some malware.
Businesses will need to ensure that they have a policy in place which defines how their devices can be used and that this policy has been effectively communicated to all employees. In addition to keeping a list of permissible devices, they will need to ensure that all devices have the necessary security controls, which may include screen-locks, 2FA, application blacklisting and remote wiping solutions. They will need to ensure that all sensitive data is automatically encrypted both at rest and in transit.
4. A Failure to Limit Access to Privileged Accounts
It is imperative that all organizations enforce the “principal of least privilege” to ensure that user accounts are assigned the most appropriate access rights. Should a user require more privileges, they should only be granted for as long as the user needs them to do their job. Such privileges will need to be monitored in real-time to ensure that any suspicious changes are dealt with in a timely manner.
5. Sending Emails to the Wrong Recipient
According to the 2018 Verizon Data Breach Report, the mis-delivery of sensitive information is the fourth most frequent action that results in a data breach, and accounts for 62% of data breaches in healthcare. Businesses should encrypt all sensitive data that is sent via email. Likewise, it would be a good idea to implement a data loss prevention (DLP) solution to automatically block/quarantine unencrypted sensitive data as it leaves the network. It may also be worth introducing a pop-up box to remind users to check that the senders address is correct.
If you want to be able to easily audit, track and alert on anomalous user behavior in relation to your sensitive data, you’re going to need a data security platform like LepideAuditor. LepideAuditor makes use of Data-Centric Audit & Protection to help you get to grips with the changes your users are making to data. For more information, get in touch with us today or book a personalized demo.