Every month, it seems, we hear about a new data breach at some company. In 2019, over 7.8 billion records were exposed in data breaches, and the number grows each year. Just in March 2020, a single breach of an adult video website exposed over 10 billion records.
Far more insidious, however, are the smaller but widespread data breaches at businesses. Even if your company doesn't have billions of data points, you could still be subject to attack. Fortunately, good software and infrastructure can prevent many of the most common attacks. However, there's one threat to data security that's far more unpredictable: the people who work for your company and have access to your data already.
Even the best cybersecurity measures are moot if authorized users give away access. However, well trained employees can also be your biggest asset in detecting and rooting out attacks. In this article, we'll explore the human factor of data security.
How the Majority of Data Breaches Happen: Human Error
Human error is a contributing factor in most data breaches. In fact, the large majority of cyber attacks count on humans making mistakes - clicking the wrong link, typing information somewhere they shouldn't, configuring accounts incorrectly.
TechRepublic has reported that more than 40% of all data breaches had employee negligence as the root cause. Whether it's an outright error, or just a general failure to understand and practice cyber hygiene, employees contribute greatly to data security risks at an organization.
Generally, human error comes down to a combination of lack of awareness around cybersecurity threats and a lack of guardrails to prevent common mistakes. If you can increase awareness and put systems in place, you can drastically reduce the chances of successful human-focused cyberattacks.
Making Education a Priority
Employee education is critical to keeping company data and devices secure. Of course, that's easy to say and difficult to do. Often, employees find cybersecurity training to be a chore, so it's also critical that you build consensus and understanding around why this is a threat and how large the damage could be.
In our experience, companies that have the most success with employee training use a combination of good, online video training content mixed with simulated attacks and in-person engagement for correctly responding to those simulations.
With that in mind, here are the most common human-centric attack vectors. You should train your employees on these threats thoroughly and regularly, even considering how you can simulate these attacks so users know what to look out for.
The Most Common Human-Centric Data Privacy Threats
Phishing & Pretexting
This is by far the biggest attack vector that focuses on human error. An attacker attempts to get you to click a wrong link, type your password in the wrong form, share an access code, or otherwise give private information to the wrong person. According to the 2020 Verizon Data Breach Report, credential theft and social attacks accounted for 2/3 of all data breaches. Email is the most common attack vector.
Downloading Malware & Ransomware
Ransomware is on the rise in 2020. An attacker gets you to run a piece of malware and it locks access to your computer (and possibly throughout the network as well) until a ransom is paid. Good download scanning tools can help here, but a 2018 User Risk Report reveals 55% of working adults allow friends and family members to access their employer-issued devices at home. Encourage your employees to guard device access & make sure they know what a malware attack looks like.
Poor Password Policies
Using simple passwords or reusing the same passwords are a big vulnerability, but luckily they're easy to fix. Require a password manager and make sure everyone knows how to use it. And please, no sticky notes on the edge of the screen.
Mismanagement of Privileged Accounts
Access should be restricted to only the right people in the organization for privileged accounts. Regularly update your admin passwords, deprovision accounts quickly when users leave, and make sure two-factor authentication is turned on. These configuration settings are important human errors that can come from IT or account creators, so make sure good security is also practiced at the top of your organization.
People & Data Security: From Liability to Asset
Although we've spent the article outlining some fairly scary threats, the truth is a little education and training can go a long way toward building a security culture with your employees. The human element of data security is always changing and will forever be difficult to predict or control. However, when companies cultivate a security-first mindset among the team, their employees go from liabilities to assets very quickly. With all your employees on the lookout for attacks and helping one another avoid pitfalls, your data will be more secure than ever.
Sign up for our newsletter
Get our latest articles and our most exciting updates delivered straight to your inbox.