Not all security compromises make the news; in fact, the payment industry alone sees thousands of attacks each day! To mitigate the role of human error in preventing security vulnerabilities, there is nothing more important than education and awareness. IT leaders should train all persons who are part of the conversation so they are fully aware of and prepared for issues related to cybersecurity, including the potential for attacks.
Education should start on day one, during the onboarding process, and should include both verbal training with written material to reinforce key points. As for subject matter, the message is one of training staff how to think critically and how to look for what may not exist, (or only exists nefariously in the background).
This can include fundamental basics such as the potential for a stranger to penetrate a user’s inbox and also the risks associated with weak passwords. We all know that one friend that uses the same password for accounts. Doing this really allows for the hacker to access the network without resistance.
With security technology available, why does human error still play a large part in network security?
When a compromise does occur, it is often through the weakness of human error, like the above-mentioned password example. Indeed, there are entire organizations that research how to send phishing emails, hack passwords and then install ransomware; they have spent years observing and learning what those human errors are and ultimately how to leverage them to infiltrate the network.
Phishing is extremely difficult to stop; moreover, digital natives tend to be both avid email readers and quick responders. Hackers know this and use it to their advantage. They may even pose as an executive, preying on the propensity for a newer employee to respond urgently lest it reflect poorly on their performance. Next thing you know, that company now has unwittingly granted access to the organization’s internal systems. The scary reality is that it only takes a few milliseconds to capture data.
Is it a matter of noncompliance with policies or are there truly human-related vulnerabilities?
The problem usually is not an issue of non-compliance. We are all human and we can get bored, have a bad day, be in a hurry or dealing with any number of real-life issues that affect our vigilance.
To mitigate that, employees can be trained not only from day one, but with refresher sessions throughout their tenure. And for their part, the employers themselves can be deliberate in training all employees, not just those tasked with security or IT. This cross-pollination approach results in an organization with multiple layers of advocates who embrace a security-first mindset.
Do hackers capitalize on the tendency for humans to make mistakes or not comply?
Absolutely! I was a victim of this in my personal life. I had received an email that appeared to be from eBay, and it looked very convincing! The email stated that the pair of $300 shoes I had ordered (which I had not) was on its way; the email included a link to the proof of purchase. The human tendency is to click on the link and enter personal card information, which is exactly what they want you to do.
The purpose of ongoing education on this is two-fold: 1.) Hackers aren’t going away, and are only becoming clever with their tactics and 2.) None of us are immune to falling for one of these schemes; but by keeping it front of mind, it’s more likely that even the most authentic looking phishing attempt will give the end user a moment to pause and evaluate its legitimacy.
How can ISVs develop tech solutions that compensate for human error?
The reports show that we all have much work to do when it comes to these attacks. Going back to the basics with training and education can be a proactive way of getting ahead of the attackers.
There will never be a day where the industry is not targeted but the most effective way to keep ahead of the curve is to never become complacent. Companies that are serious about protecting themselves against this should make the commitment to provide training and ongoing professional development in the area.