Human error, or unintentional actions by human users that contribute to security issues, is one of the most significant digital security challenges confronting small- to mid-size enterprises (SMEs) today. The United Kingdom’s Information Commissioner’s Office (ICO) found that 90% of data breaches reported to it in 2019 were the result of human error, for instance. Per Infosecurity Magazine, phishing was responsible for nearly half (45%) of the data breach reports submitted to the ICO over the course of that year.
Oz Alashe, CEO of CybSafe, said that these findings reflect the fallibility of human behavior when it comes to digital security. As quoted by Infosecurity Magazine:
As this analysis shows, it’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.
How Technical Controls Can Help
Organizations can try to address the threat of human error and phishing by implementing technical security controls. When it comes to defending against human error, for instance, Eastern Kentucky University recommends that organizations can begin by instituting multifactor authentication (MFA). This measure requires that users supply an additional authentication factor such as a fingerprint or an authentication app code in order to sign into their accounts. In doing so, MFA can help to prevent digital attackers from compromising a user’s account even if they steal the account credentials.
Further, they recommend that organizations also invest in their ability to manage the network. This specifically involves investigating the dependencies that the network has, identifying the critical assets on which the organization relies and safeguarding their sensitive data. Towards this end, organizations can begin by mapping the network to obtain a wider view of their connected systems. They can then use a threat and risk analysis along with risk assessments to pinpoint key areas on which they might want to focus their security efforts. Once they have implemented access management, MFA and other technical controls, organizations can use monitoring to watch out for anomalous network activity and respond to potential security issues before they balloon into a full-fledged incident.
There are plenty of technical controls available to organizations when it comes to defending against phishing attacks, as well. As explained by Carnegie Mellon University, organizations need to limit the privileges that they give to user accounts by handing out administrative privileges to only those accounts that need them. Such a move will limit the types of actions that a malicious actor could perform if they were to compromise an ordinary user’s account. It also allows organizations to configure the scope of their monitoring tools to watch for anomalous activity across a fewer number of administrative accounts, thereby helping organizations to respond to suspicious user behavior on those accounts more quickly.
In addition to those measures, Carnegie Mellon University notes that organizations can use network segmentation to help to prevent malicious actors from using a successful phish to move laterally across the network to critical assets, block Microsoft Office macros and use attachment filtering to shut down common attack vectors for phishers as well as safeguard their domains by setting up Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC).
The Limitations of Technical Controls
Notwithstanding the best practices discussed above, technical controls alone will carry organizations’ digital security posture only so far. IT Governance USA reveals that the problem is fourfold. First, there’s the issue that organizations could implement technical controls that don’t reflect a proper risk assessment. This could leave organizations vulnerable to employee negligence, process shortcomings and other risks stemming from human error.
Another problem is the opportunity for misconfigurations of organizations’ other technical controls. Security analysts are human; they’re not exempt from making mistakes. Those mistakes could apply to some of the most fundamental security controls that their employer needs to keep its most critical assets and information safe.
But the risks extend beyond just critical systems. Information and assets are interconnected, after all, a fact which gives organizations the opportunity to leverage one compromise and potentially turn it into another in some way. This possibility, when combined with the reality that threats are constantly evolving past what technical controls are designed to detect or prevent, highlights the limitations of grounding digital security efforts in technology alone.
Putting a Focus on People
If they want to truly address the threats of human error and phishing, organizations need to complement their technical controls with their people controls. They can do this by building a security awareness training program. Such an initiative inherently recognizes that all people—including contractors, employees and executives—are responsible for helping to uphold their employers’ security as well as to advance their organizations’ security posture.
Organizations can begin by creating and implementing a process for providing digital security training to their workforce. To complete this step, it’s important that organizations identify the training that all of their covered roles need, decide upon a frequency for providing training and select the topics that they would like to emphasize in their training.
Next, they can select a process for distributing the training. Perhaps they want to create their own security awareness training content. Or maybe their security requirements would be better met by working with a managed services provider like ITEGRITI that can provide this content for them. It’s then up to them to provide the security awareness training to their workforce.
Either way, organizations need to have an understanding of their digital security risk baseline to get started with creating a security awareness training program. Organizations can understand their current risk exposure by taking ITEGRITI’s Cybersecurity Risk Assessment. These risk assessment questions are based on the essential cybersecurity controls that help companies to avoid hacks and minimize business impact during cybersecurity events. They will receive a copy of the risk baseline report along with a cybersecurity maturity score based solely on this attestation in addition to control implications in areas where cybersecurity controls may need improvement.
For more information, check out ITEGRITI’s assessment here.
This SME Guide is part of a series to assist small and medium-sized businesses with their cybersecurity needs. You can read others in the series here:
- Cybersecurity Guide: The Role of a CISO
- Cybersecurity Guide: Security Awareness & Training (Current)
- Cybersecurity Guide: Asset Inventory (Coming Soon)
- Cybersecurity Guide: Asset Baselines, Hardening and Change Management (Coming Soon)
- Cybersecurity Guide: Vulnerability Management (Coming Soon)
- Cybersecurity Guide: Access & Account Management (Coming Soon)
- Cybersecurity Guide: Information Management & Protection (Coming Soon)
- Cybersecurity Guide: Boundary Defense, Electronic & Physical Security (Coming Soon)
- Cybersecurity Guide: Incident Management & Review (Coming Soon)
- Cybersecurity Guide: Supply Chain Management/Third Party Vendors (Coming Soon)