If you asked any CIO to identify the one risk influencing all security incidents, the response would be simple: human error.
Not every organization is vulnerable to the same types of security threats, but they all have in common one thing: the human factor. In fact, 24 percent of organizations affected by data loss in the past year say it was the result of an employee accident.
To reduce the risks of data loss and breaches, here is a reminder of the top three measures SMBs should have in mind:
- Restrict access to sensitive data
One of the most frequent mistakes employees make is to send sensitive documents to unintended recipients. People also transfer work documents to personal email, place them on consumer-grade file-sharing sites or copy onto removable media such as USB sticks. And while flash drives seem harmless, if someone connects an infected USB drive to the office network, a worm can upload and replicate itself on the network.
To mitigate human errors, an organization should start deploying security controls to monitor who has access to proprietary data. Other must-have data protection and security measures include:
- Managing and monitoring end-user privileges
- Conducting background checks on an employee’s online activity before granting privileged access
- Network segregation for better control and security
Regular employees aren’t the only ones whose activities should be monitored. Despite boasting super human powers, skilled system administrators sometimes make mistakes. Reports show system misconfigurations, poor patch management practices and the use of default names and passwords are some of their most common errors.
Another risk comes from contractors and third-party vendors. Third-party security breaches have happened in retail, hotels, healthcare, and in many other verticals where partnerships and outsourcing are increasingly used to support business operations. In the UK, contractors accounted for 18% of serious breaches.
The potential risk posed by third parties has garnered significant attention in the wake of the Target breach (2013), and since then it has affected various small and large organizations. That’s because third-parties act as insiders, having partial access to company information.
To mitigate this threat, security vetting is key – start with a comprehensive risk assessment and thorough penetration testing of the third party. Both should be performed by a reputable, independent third party. Access rights should also be constantly reviewed. Also, make sure data is protected even it is not in your own network or is protected by another entity.
- Cyber-security education
Human negligence—either by carelessness or a lack of knowledge— is largely exploited by cyber-criminals. Phishing for information through an unwitting employee is simpler than hacking through established network defenses.
The easiest way to gain access is via spear-phishing scams targeted at specific employees. Once the malware is downloaded onto the user’s computing device, the company’s assets are also in jeopardy.
Other risky practices include connecting computers to the Internet through an insecure wireless network, password sharing and reuse, BYOD through an unsafe device or employees losing their devices when travelling.
This is why educating employees on how to recognize phishing scams and avoid e-threats is vital in maintaining security in place.
- If the first line of defense fails…
The strongest layer of protection against human error is still technology. For instance, enterprise security solutions with micro virtual machines embedded will verify any process before being executed on a machine. If an untrusted computer process tries to run on a computer, (think of an employee opening a file, clicking a suspicious email link or downloading from an unrecognized site), it will automatically be placed in a micro VM (virtual machine) to isolate it from the computer's host system.
But what if those breaches exposed what items people bought and when, their home addresses? What if the breach takes place at a business that is built on the idea of privacy? If we think about what we post online, we have much more to lose than credit card data. That data has immediate value, but our identities—and privacy—have more value.