A recent paper by Osterman Research reports that less than half (42 per cent) of organisations have trained their employees for General Data Protection Regulation (GDPR), even though it came into force many months ago.
It is well known that a lack of training increases the risk of human error that can lead to data breaches. This article will explain the most common errors users make, and the preventive measures organisations can – and should – enforce in order to mitigate the risks.
Human error #1: falling for phishing
According to the 2018 Verizon Data Breach Report, phishing and pretexting account for 93 per cent of social-engineering related breaches, and email is the most common attack vector (96 per cent).
This mistake is more likely if a company tells its employees about cyber-security policies only at the time of their appointment, instead of making them an ongoing priority. Steering clear of boring training classes is recommended; instead, it’s generally more effective to use short, five-minute videos that recreate real-world situations that show how social engineering attacks tend to work.
It is advisable to run phishing simulation tests periodically to check whether the training was effective and if employees are following the best practice information and security policies.
Human error #2: letting unauthorised users access corporate devices
According to a 2018 User Risk Report, 55 per cent of working adults allow friends and family members to access their employer-issued devices at home. A friend or family member might access sensitive data such as the organisation’s bank accounts or customer data. What’s worse, they might download malware that could give cyber-criminals access to corporate data, cloud applications and storage.
Another important measure is to implement proper security controls on devices and systems, ensuring that all devices are password protected. Employing two-factor authentication over all corporate devices and applications, if possible, is an excellent step to take.
Human error #3: poor user password practices
Statistics also show that 66 per cent of respondents who do not use a password manager tool admit to reusing 60 per cent of their passwords across online accounts. This is a risky practice, because once one account is compromised, an attacker has access to a variety of assets. Beyond password reuse, other password-related risks include using obvious passwords (such as 123, abc or 1111), storing passwords within reach of the computer, and sharing passwords with others.
Human error #4: poorly managed high-privilege accounts
Accounts with privileges, such as admin accounts, are powerful, but security controls for preventing their misuse are often inadequate. Our own recent research shows that only 38 per cent of organisations only update admin passwords once a quarter. If IT pros fail to update and secure the passwords to privileged accounts, attackers can crack them more easily and gain access to the organisation’s network.
A preventive measure is to implement the least-privilege principle to all accounts and systems wherever possible. Instead of granting administrative rights to multiple accounts, elevate privileges on an as-needed basis for specific applications and tasks, only for the short period of time when they are needed.
Human error #5: mis-delivery
A recent research by Verizon says that email mis-delivery is the fourth most frequent action that results in data breaches. Reportedly, mis-delivery accounts for around 62 per cent of human error data breaches in healthcare.
Consider requiring encryption for all emails that contain sensitive information. In addition, employ pop-up boxes that remind senders to double-check the email address when they’re emailing sensitive data. Another tip is to implement a DLP solution that monitors an event that could lead to information leakage and automatically acts.
What if an error happens anyway?
The reality is that, even if a company has superior cyber-security defences, people will inevitably still make mistakes. A sophisticated phishing attack might lead to malware being released in a corporate network, an admin might grant someone excessive permissions, or some users might have their passwords cracked.
Every organisation should improve its detection capabilities so it can respond promptly to suspicious or improper events. To be able to proactively detect and respond to such suspicious activity, businesses should employ user behavior monitoring methods that enable them to track the activity of all users, including privileged ones.
by Matt Middleton-Leal, EMEA General Manager, Netwrix