When one thinks of cyber security, the first thought that often comes to mind is preventive technology. That is not a bad place to start. Consider that it is technology that is the foundation of the Internet, which brought about an unparalleled sharing of information never seen before in human existence. When bad actors decided to use this technology for nefarious means, new technology was created to combat malicious actors.
Yet in spite of all this technology, cyber security still needs the human touch.
It takes humans to build the technology, to program the software (for now), to set up the computer network, to install the software, to manage the software, to fix the software, repair the network, and use the software and data.
On the other hand, humans can make a mistake in the manufacturing and programming of technology, creating the policies, procedures, workflows; and running the systems. It takes humans to run the systems every day.
It’s unsurprising that human error is a huge source of cyber breaches. Consider the following quote from the 2023 Verizon Data Breach Report:
“74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of Stolen Credentials or Social Engineering.”
Enlightenment poet Alexander Pope once said in his 1711 treatise “An Essay on Criticism” to the US Institutes of Medicine’s report on patient safety: “To err is human.” How odd is it that his report was on patient safety in the medical world, and here we are talking about the same thing in cyber security?
So what kind of human error are we talking about in the Verizon report, and what can one do to proactively prevent it? What lessons can organizations learn from this?
The Verizon report noted four different areas of human element:
- Error
- Privilege Misuse
- Use of Stolen Credentials
- Social Engineering
Let’s start with Error
Verizon’s report suggests that breaches based on Error are primarily the domain of System Administrators and Developers. In many organizations that could be the IT department and managers. However, end users should not to be overlooked, and do fall into the third-place category.
In this category are three specific areas that Verizon digs into:
- Misdelivery, or sending something to the wrong recipient – 43%
- Publishing Errors, or showing something to the wrong audience – 23%
- Misconfiguration, or setting something up incorrectly – 21%
It’s very easy to blame System Administrators and Developers for errors, as they do bear the greatest responsibility for protecting confidential data. But even End Users, those who work with data, can make a breach-causing mistake.
For example, a marketing firm working in the healthcare space inadvertently sent an email to individuals with an Sexually Transmitted Disease (STD) that was supposed to go out via a blind carbon copy but was placed in the “To” section. A summer intern handling this project, not the IT Department, made the mistake.
The Verizon report does make the effort to list controls to consider, thus helping readers to prevent or mitigate these types of errors. The controls are based on The Center for Internet Security V8 protocols. The Center for Internet Security (CIS) is a non-profit organization dedicated to helping businesses and governments improve Cyber Security controls.
The Verizon report breaks down the recommended controls into three areas: Control Data, Secure Infrastructure, and Train Employees. They also supply corresponding CIS policy templates to help the reader dig deeper into the control.
In Part II of this series, I’ll dig deeper into those controls.
Image by Shahadat Rahman on Unsplash.
