The constant shift towards Cyber Attacks aimed at Human Error.

When one analyses successful cyber attacks over the past months and years, a basic variable that cannot go unnoticed is the role of human error. Apart from vulnerabilities in systems and applications human error was commonly attributed to the success of cyber attacks. In this blog post we take a closer look at one of the most common causes of cyber-attacks, that is, human error.

Human error is central to social engineered attacks. Internal actors would be ‘enablers’ of such attacks to materialise and result successful for the attackers. The vast majority of breaches result from inadequate security hygiene and lack of attention to detail and proactive stance in following cyber security procedures and protocols.

Attackers on the other hand are increasingly becoming sophisticated in their approach. Cyber security awareness training is a first step towards upping the level of knowledge in a workforce. Such training explains the various types of threats, the (the hackers’!) most common ways of attacking an organisation and the consequences and impacts on the business (should they be successful).

A general apathy exists and this leads to a ‘wait and see’ approach which more often than not, generates a reaction when it is too late.

Organisational culture plays a crucial role in cyber security readiness and preparedness to defend against attacks by malicious actors. The importance of Cyber security needs to be cascaded down from the business leadership team, most often sponsored by the CISO or vCISO (which is becoming increasingly popular nowadays). There needs to be a sense of accountability and ownership. Employees need to think ‘safety-first’ when faced, say, by an email of dubious nature.

Procedures and their enforcement (internally) is another key aspect in fighting or lowering human error that can lead to highly-negative consequences. Standards as to which official software to use, how to utilise company equipment, password management (and selection), authentication practices, updating security software (such as antivirus software and firewalls) and connecting through VPN and secure WIFIs are common to most companies, of varied size, today.

Ongoing awareness seminars and training courses are required to keep up-to-date with the fast rate of change in the cyber security field. Cutting edge companies have introduced OKRs and KPIs related to cyber security and include training in career path plans and training needs plans. Top management should, on a regular basis, gauge how cybersecurity-mature the company is, and be proactive as to up the level (constantly!) and remove bad working habits from the modus operandi.

Types of Human Error

Most studies and field-professionals categorise human errors in two categories, namely, skill-based and decision-based errors. In case of skill-based human errors, employees would know the right course of action, but for reasons such as genuine mistakes or negligence, fail in accomplishing the action. The cause can be multifaceted, ranging from distractions, to over working leading to tiredness and lack of attention or distraction while carrying out a task or task list.

In contrast, decision-based errors occur when a worker makes a faulty decision. Again a number of factors come into play, such as not having enough information about a scenario or context or totally lacking the knowledge that they would not even realise what they are committing or leading to. In extreme cases, internal resources can be malicious in their behaviour which would open cases of collusion with hackers.

Reduce Human Errors

In order to reduce human errors, organisations need to proactively strive to increase awareness by organising cyber security awareness training and seminars; and sharing news and interesting informative reads on the intranet. Training increases knowledge. Choose training courses that emphasise on real life examples and scenarios, so that attendees can relate to and can easily understand and contextualise.

Clearly communicate protocols and explain risks and potential consequences. Companies are to have operating procedures in place that guide employees – such for example privilege control and password management. In addition to creating a secure environment, which proactively promotes cyber security best practices and ‘imposes’ security actions such as blocking pop-ups, black-listing certain shady URLs and auto-updating security software, promote security as an integral part of the organisational culture. Always encourage discussion, make escalation paths visible and easy to use, and hold training on a regular basis.

People don’t need to be the weakest link! Book your cyber security awareness training for your employees today.