Human Error – An Overlooked Aspect of Cyber Risk

The dependence on digital infrastructure has made cybersecurity solutions an absolute necessity for businesses, and this has grown all the more important due to the rise in cyberattacks in recent years. Malware, ransomware, viruses, phishing campaigns and spam have led many organizations to invest in sophisticated cybersecurity solutions that shield against common attacks. These solutions are beneficial for preventing hackers from gaining access to secure networks or applications. Yet they fall short in addressing one of the most common pitfalls of cybersecurity – human error. Recent research shows that human error can account for 95% of all cybersecurity incidents. What’s more shocking is that only one-third of all companies offer cybersecurity awareness training for their employees.

Cybercrimes are increasing at an unprecedented rate, with ransomware attacks rising 128.17% between 2022 and 2023 alone. Businesses cannot lean solely on cybersecurity solutions to keep them shielded from a continuously evolving threat landscape. Employee cyber-awareness training must be incorporated into their cyber defense strategy, creating a “human firewall” to minimize the likelihood of a successful attack.

The Costs of Employee Negligence

Some of the largest, most successful companies around the world have fallen victim to cyberattacks brought on by human error. Ticketmaster and Santander Bank were victims of one of the biggest data breaches in recent history after a contracted employee failed to enable multi-factor authentication for a company account. In 2023, MGM and Caesars were infected with ransomware after an employee fell for a social engineering attack. That same year, the sensitive data of thousands of patients with D.C. Healthcare was compromised after unauthorized users found a reused password stored on a log file.

One of the most striking elements of these attacks was that these organizations work in highly regulated environments, where cybersecurity measures are critical. Yet even with cybersecurity solutions in place, simple instances of employee negligence led to severe consequences that devastated these organizations overnight. Business leaders cannot disregard the importance of employee cybersecurity awareness, as a single breach can lead to financial, legal, and reputational harm that’s difficult to recover from.

How Hackers Exploit Employee Weaknesses

Successful threat actors don’t always have to rely on complex technical maneuvers to achieve their goals. Oftentimes, simple manipulation tactics and a basic understanding of employee behavior are enough to help them gain access to secure applications, networks, data storage and more. Below are some of the most common ways hackers take advantage of employees:

Social engineering attacks: Hackers know that employees find it hard to closely review every communication they receive at work. Attackers often therefore choose to send emails and texts posing as real people to trick users into giving sensitive information or clicking malicious links (phishing). Hackers may also focus on specific individuals (spear phishing) if they have clear goals in mind.
Unlocked computers/devices: One of the most fundamental cybersecurity practices is often that most employees regularly leave their workstations without locking their devices, allowing threat actors to gain access both in and outside of office settings with minimal effort.
Basic or reused passwords: Despite the risks being well known, employees frequently use simple passwords for quick access to various companies To make matters worse, some employees even use the same basic passwords across multiple company accounts, or worse yet, personal accounts.
Use of public networks: The rise of remote and hybrid work has many employees working outside of their offices and homes on public networks. And because many employees fail to put network safeguards in place, like advocating the use of virtual private networks (VPNs), hackers can gain access to company devices through unsecured public networks.
Using outdated software: Business applications and solutions require regular updates to revise vulnerabilities that bad actors exploit to perform However, busy employees may wait, or forget entirely, to install critical updates if no centrally managed update mechanisms are in place.
Sharing devices/credentials: Employees working for smaller companies often share devices and accounts, increasing the likelihood that a shared password gets leaked or stolen by unauthorized users.

Employees as the First Line of Defense

While cybersecurity solutions and managed services are assets for any defense strategy, businesses must also prioritize training employees on best cybersecurity practices to create a “human firewall” that can mitigate attacks that other methods may miss.

Businesses should use the following triage as a basis for their employee training program:

Mindset: Teach employees about the most common cyber
Skillset: Ensure employees know how to spot attacks and how to address a potential hack or breach.
Toolset: Provide employees with tools to prevent attacks and uncover suspicious

Additionally, businesses should also emphasize following best practices to reduce the potential of human error contributing to a successful attack.

Provide ongoing training: Ensure employees are knowledgeable in the most common types of cyber-attacks and best practices.
Establish work protocols: Whether working in-office or remotely, establish clear rules on how employees should be working securely. For example, using a VPN while working on unsecured networks and locking workstations when stepping
Require complex passwords: Employees should use a combination of capital letters, numbers, and symbols when creating passwords for the company. For maximum protection, encourage employees to use random password generators.
Enable automatic software updates: Instead of wondering if employees update software, enable automatic updates so that the latest versions are installed immediately after they’re available.
Develop an incident response plan: Even if employees are well prepared, mistakes still happen. Have an incident response plan in place so that when employees notice suspicious activity, they can immediately respond appropriately to reduce the impact of an attack

Don’t let employee unawareness or negligence compromise business security. Instead, equip employees with the knowledge and tools needed to complement cyber defenses. By embracing the core principles of the human firewall philosophy and best practices, businesses can significantly reduce the risk of employee errors and protect critical systems from hackers.