95% of All Security Incidents Involve Human Error
If you open a supposedly innocuous email, you could soon realize it’s a phishing or Trojan email.
Whether intentional or accidental, the insider threat (or the human factor) is a critical element in the cybersecurity component. From the accidental (downloads, streaming video, jump drives, and other routine tasks) to the intentional (ranging from disgruntled employees to those paid to commit industrial/actual espionage), the insider threat is a massive issue in your cybersecurity.
In 2015, CompTIA discovered that the leading cause of cybersecurity incidents were a direct result of human error, accounting for 52% of breaches while IBM’s “2014 Cyber Security Intelligence Index” revealed 95% of all security incidents involve human error (SC Magazine & Security Intelligence). Hackers exploited a server without the dual-factor authentication in the JPMorgan Chase hack. Anthem, in 2014, had 80M personal records stolen – thought to be the result of a phishing email that compromised system administrator credentials. These occurrences (along with many, many others) demonstrate an underlying issue proving that human errors (of both IT professionals and the regular workforce) allow cyber vulnerabilities. And it is this human factor we must address if we want to conquer the real cyber threats.
“But, we’re a security/IT/tech company. We would never do that.”
Well…In 2015 Verizon Enterprise Solution performed a little test. They sent out 150K emails to two of its security partners to see who would open an email from an unknown source. Well, guess what? They found that 23% opened the email and 11% actually opened the attachment! Luckily for their security partner the attachment wasn’t carrying malware!
What about the large IT firm who purposely laced a cyber event parking lot with jump drives that housed software that would alert the cyber firm as soon as anyone inserted it into a computer. More than 15% of the cyber practitioners inserted the drives, during the event!
Now imagine a large non-security related firm, let’s say, an insurance firm. Sure, they’re all up-to-date on PKI, but what about the latest in malware or phishing? How secure is your information now?
What you can do
There are ways you can protect your organization’s (and your customer’s) data. It’s not difficult, but it will require diligence.
- On-board your employees in a consistent manner that properly trains them in cyber vulnerabilities
- Maintain this training regularly
- Assess your organization’s and employee’s weakness so you can better mitigate cyber vulnerabilities and risks
- Understand cyber risks
Your IT professionals aren’t the true gatekeepers – your employees are.
We’ve brought technology far – now we need to bring our people farther. We have been lulled into thinking that since we have fantastic technology, our information is safe. It’s not. We need the right processes, procedures, operations, and organizational culture.