Human error is one of the biggest security threats that organisations face, but you wouldn’t know that based on the lack of resources dedicated to preventing it.
According to Verizon’s 2022 Data Breaches Investigations Report, 82% of data breaches involved a human element. This includes incidents in which employees expose information directly (for example, by misconfiguring databases) or by making a mistake that enables cyber criminals to access the organisation’s systems.
To combat this threat, decision-makers must understand how human error affects their organisation and appreciate the severity of the risk.
Types of human error
Human error can occur in any number of ways, but it generally refers to an employee either doing something they shouldn’t or failing to do something they should.
More specifically, human error falls into two categories. The first, skill-based error, occurs when an employee makes a mistake when completing a task they are familiar with.
In these scenarios, the employee knows the appropriate process but doesn’t follow it due to a temporary lapse in concentration or judgement.
For example, say that an employee is tasked with reviewing documents in a filing cabinet and shredding the files that are no longer needed.
Human error can occur in several ways when completing this task. The employee might miss a file and therefore not shred it, they could overlook the task altogether, or they could find that the shredder wasn’t working so simply threw the documents in the bin.
Another common example of skill-based error occurs when employees fall for phishing scams. They should have been educated on the risk of fraudulent emails, but the messages are designed to catch people off guard and could result in the employee falling for the bait.
The second type of human error is related to decision-making, which occurs when an employee compromises sensitive data because they don’t understand the risks involved.
This could be because they don’t have the necessary knowledge about the information in question or because they don’t understand that their lack of action will have consequences.
Say, for example, that the employee has been asked to configure a database containing customer records. A decision-based error can occur if the employee doesn’t password-protect the file because they don’t realise that it will be stored on the Cloud and therefore theoretically publicly accessible.
The cost of human error
No matter how human error occurs, it can result in huge damages – often much greater than those associated with cyber attacks.
IBM’s Cost of a Data Breach Report 2021 found that the two most expensive forms of data breach were the result of skill-based errors.
According to its study, BEC (business email compromise) scams cost organisations $5.01 (about £3.75) per record stolen, and phishing scams cost $4.61 (£3.45).
Part of the reason for this is that breaches involving human error often take longer to identify and contain, which means the damage can escalate.
Breaches that result from BEC and phishing were among those that take the longest to resolve. BEC scams take on average 238 days to identify and 79 days to resolve, and phishing takes 213 days to identify and 80 days to resolve.
Reducing human error
IBM’s study indicates that organisations have an uphill battle in tackling human error. It found that breaches resulting from human error have become comparatively common in the past two years, with phishing scams posing a particular risk.
This is almost certainly a result of the pandemic and the rise in home- and hybrid-working. The dispersed workforce means that we are far more likely to send emails to colleagues rather than simply walking over to their desk.
As such, it’s easier for a malicious email from a cyber criminal pretending to be a colleague to slip under the radar. Organisations looking to tackle this threat should take a look at our Cyber Security for Remote Workers Staff Awareness E-learning Course.
This online course provides the expertise your employees need to stay safe when working from home.
It covers the specific risks associated with remote working, including phishing scams and vulnerabilities associated with shared Wi-Fi networks.
You’ll also discover the steps you can take to secure your Internet systems, identify fraudulent emails and improve your remote working experience.
A version of this blog was originally published on 25 November 2021.