Human Error in Data Breaches – Release 2
Since the original publication of this briefing and reminder, there continue to be differing opinions on exactly what percentage of data breaches are caused by human error. Originally, those percentages ranged from 25% to 75%, based on the subjectivity of the organization affected by the breach. Since that publication, the percentage has risen to 80% to 95% and remains a staggering figure.
In most cases, policies and controls exist that protect the information assets. However, in situations where human error is the cause, policies and controls are either ignored, the violator was not aware that the policies existed, or the attacker used human intervention to take advantage of a vulnerability.
Human Error in Cybersecurity Attacks
In the Information Technology Security space, we see attacks leveraging human error as incidents where the bad actor involves an individual to affect the confidentiality, integrity, or availability of information assets.
Examples of human error that have resulted in IT security incidents include:
- Improper configuration of infrastructure, systems, and applications
- Lost workstations, tablets, smartphones, and other devices
- Sharing of passwords and credentials
- Password Harvesting
- Leaving unattended devices logged into an infrastructure or application
- Transporting data in an unencrypted state
- Failure to implement and/or follow documented administrative controls
- Clicking on links that lead to malicious and unsafe sites
What can we do to prevent human mistakes?
- Educate the workforce
- Don’t cut corners
- Enforce documented and implemented controls and policies
- Adopt a culture of information security
- Build fault tolerance into systems, procedures, and technology
- Manage workforce environment factors such as distractions, fatigue, and workload
Support ideas for improvements to information security