Negligence: The Number One Cause Leading to Cyberattacks
12
Aug

Negligence: The Number One Cause Leading to Cyberattacks

The lack of awareness or negligence regarding cybersecurity among staff can lead to dramatic consequences for the organization. Willis Towers Watson, global risk management, insurance, and advisory company, reported that two-thirds (i.e., 66%) of security breaches are a result of employee negligence or malicious acts [1]. The 2017 WannaCry ransomware attacks are an excellent example of how human factor plays a vital role in escalating an attack to an internationallevel disaster. Even after Microsoft released the required MS17-010 patch, still 60% of organizations from the manufacturing industry and 40% from healthcare industry have experienced at least one WannaCry attack in the last six months. 

External threats patiently lure insiders as a host in revealing the sensitive data of organizations. According to IBM’s 2018 X-Force Threat Intelligence Index, over two-thirds of total compromised records point to inadvertent insidersemployees who leave an easy entry point (by mistake) for cyberattackers to exploit the resources of the organizations [3]. To do so, cybercriminals use social engineering methods to exploit the cyber vulnerabilities of organizations. 

How Do We Classify a Human Error? 

Negligence is a human errorany unintended or accidental action. It is emerging as one of the prominent causes of security incidents. In essence this aspect has always been the major breaking point in security, which is the human factor, and has always been so from the very beginning of history. The most common example of negligence is sending data to an unauthorized person. Negligence is an avoidable error but demands proper attention of business owners and the precision of employees handling sensitive data. To achieve a reasonable level of mitigation, awareness/training inhouse is very important to create a first level of understanding, and this should be an ongoing action from the business if they want some breathing space. 

Recently, Captial One announced that due to negligence, a cybercriminal got access to personal data of 106 million credit card customers and applicants. After this announcement, the firm is facing legal actions against this massive breach [4]. 

Three types of human errors can bring a business down to its knees. Knowing all three types can help avoid these mistakes before they can compromise/harm/alter your organization’s sensitive data. 

  1. Skill-based behaviorWhen an employee reacts to an error instantaneously and performs the required actions associated with an internalized procedure, then it is a skill-based behavior. 
  2. Knowledge-based behaviorIn this case, the employee deals with a completely new situation, which has no pre-defined rules or procedures. 
  3. Rule-based behaviorUnder rule-based behavior, the employee is guided to perform familiar actions. The individual will recognize the situation and act accordingly. 

Threat and Impact of Negligence 

As mentioned earlier, sending sensitive data to an unauthorized individual is one of the best examples of negligence. Earlier, this seemed to be an unavoidable human error, but now, with the deployment of security controls, data leakage can be protected. This technique has considerably reduced user involvement and increased user controls. These imposed controls inhibit employees from e-mailing documents to personal accounts, or uploading them on any file-sharing websites, or copying it on a USB drive. The growing culture of BYOD (Bring-Your-Own-Device) increases cyber risks, especially in the case of stolen devices. Even in such a scenario, advanced technologies can step in to wipe the data stored on the stolen devices by using remote access. If the controls and monitoring are being done, these actions prove their usefulness. 

Besides this error, experienced employees can also fall victim to negligence. System misconfigurations, poor patch management practices, and poor password management practices are a few examples where highly skilled system and network administrators commit unintended mistakes. To guard the security infrastructure, organizations can put up numerous security controls as well as act on continuous controls and compliance. 

Five Common NegligenceHuman Errors 

Factors such as lack of training and proper awareness can increase the risks of human error. Tools and techniques are available to mitigate such risks to a significant extent. Here are five major human errors that are caused by mere negligence:  

  1. Falling for Phishing Attacks

A more general form of phishing attack is when an email containing malicious content is sent using a seemingly trusted source. This phishing email focuses on gaining private/confidential data of the user. According to the 2018 Verizon Data Breach Report, 96% of the time, emails serve as an attack vector, while 93% of breaches generates from phishing and pretexting (pretending to be someone else to retrieve private data). [5] 

How to avoid? 

  • Establishing a security-centric culture is more beneficial than merely talking about the importance of cybersecurity at the time of hiring. 
  • Regularly run phishing simulation tests can help the employees to follow pre-defined security policies. It will also help you identify high-risk users so that you can work with them individually. 
  • Implementing filters and anti-spamming tools will create a safe environment for the employees. 
  1. Poor Password Practices

Proofpointacquired Wombat Security’s 2018 User Risk Report suggested that over 60% of respondents (among more than 6000 surveyed working professionals from the United Statesthe United Kingdom, France, Germany, Italy, and Australia) accepted to not using a password manager and reusing passwords across various online platforms. [5] This risky practice can compromise all of the accounts using the same login credentials. Other poor password practices include sharing passwords with others, saving passwords on the same computer (especially in plaintext format), using obvious passwords, or not updating passwords regularly. 

How to avoid? 

  • Organizing awareness sessions regarding the best password practices. 
  • Providing tips on login screens such as “Never store your password in an accessible place.” 
  • Using password management tool to generate complex passwords. Also, using a password expiration tool that can remind you to update your passwords regularly. 
  1. Incorrect Management of Privileged User Accounts

High privilege accounts are sometimes poorly managed, especially those belonging to admins. They are protected with inadequate security controls and in some cases are rarely updated. Such practices make admin accounts an easy target for cybercriminals. Once compromised, the attackers can bypass secure networks to access sensitive data. 

How to avoid? 

  • Restricting all accounts to least-privilege featuresminimizes the risk of compromising admin credentials and then losing sensitive data to cyberattackers. 
  • Ensuring availability of high-privilege features on an as-need basis instead of granting a few accounts with all the administrative rights. 
  • Having multi-factor authentication limits unauthorized users to access data. 
  • Ensuring admin accounts should be limited to alter/access only a few specific sections of the entire infrastructure. 
  1. Unauthorized Users Having Access to Corporate Devices

The earlier-mentioned Wombat Security’s report also suggests that 55% of professionals let their friends and family members access their employer-issued devices [6]. These unauthorized users will get access to sensitive data as well as they can download malware by mistake. 

How to avoid? 

  • Enforcing a detailed security plan that states dos and don’ts. Team leaders must actively participate. 
  • Ensuring corporate devices have two-factor authentication to access any sensitive data. For implementing the stated, use proper security controls. 
  1. Misdelivery 

In the past few years, the healthcare industry has witnessed accidental disclosure of Protected Health Information (PHI). Employees sending an email containing PHI to wrong recipients fall under the category of misdelivery. This is one of the most challenging errors to avoid.  

How to avoid? 

  • Enforcing encryption can help against accidental disclosure. 
  • Using pop-up dialog boxes will help remind senders to doublecheck the recipient’s address, especially when sending sensitive data. 
  • Using Data Loss Prevention (DLP) solutions can help limit information leakage when data are sent out of the corporate circuit. 

To handle negligence, the best way is to improve the detection capabilities of the organization. Recognizing unusual spikes in user’s activity indicates a trace of negligence. While deploying proactive detection, features with quick response strategies can minimize human error and the issue of negligence to a great extent. Awareness of social engineering and other approaches to staff is also a very important contributing factor as we talk about human errors; apart from tools the human aspect must also remain in control as well. 

Sources: 

[1] https://www.insurancejournal.com/news/national/2017/03/01/443270.htm 

[2] https://armis.com/wannacry/ 

[3] https://www.cygnussystems.com/three-ways-your-employees-will-invite-hackers-into-your-network/ 

[4] https://news.bloomberglaw.com/class-action/capital-one-hit-with-first-class-action-over-security-breach 

[5] https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf 

[6] https://www.proofpoint.com/us/resources/white-papers/user-risk-report 

Editor's Note:
Reviewed by Dr. Ranjeet Kumar Singh, CEO of Sherlock Institute of Forensic Science India and Prof. Dr. Krishna SeeburnCHIEF INSTRUCTOR  Cybersecurity at DOJ-FBI.
get certified from ec-council
Write for Us