20
Sep

The Role of Human Error in Cybersecurity


Cybersecurity threats are not irregular incidents and organizations are learning more about them, especially those threat emerging from inside the organization. In fact, a study by IEEE Security and Privacy showed that over 70% of insider attacks are not reported externally. [1]

Despite non-acceptable reasons behind insider attacks, this type of a breach continues to rise every year. According to Verizon 2019 Data Breach Investigations report, 34% of all breaches in 2018 were caused by insiders – 25% in 2016, 28% in 2017, and 34% in 2018. [2]

The Cost of an Insider Attack Is an Ascending Curve

In a study conducted by Ponemon Institute 2018 Cost of Insider Threats, the average cost of an insider breach is around $513,000 which may cost a company up to $8.76 million a year. [3]

Accenture and Ponemon’s 2019 Cost of Cybercrime study is less optimistic indicating an increase in the average cost of a malicious insider attack by 15% from 2018 to 2019. [4]

Organizations are growing aware of insider threat patterns and are considering their employees to be the weakest link when attempting to secure themselves from cyber threats. Even if users continue to be careless, negligent, or unaware of threats, implementing a defensive strategy is essential to protect critical business information and IT infrastructure from the risk of cyber threats.

Social Engineering a Key Concern

The most common human mistakes in an organization that results in severe repercussions are opening unknown attachments, clicking on unsafe links, and sharing confidential information with colleagues. These errors are driven by social engineering, which is a technique used by cybercriminals to take undue advantage of human behavior. Social engineering attempts are the hardest to defend against, as it involves human error.  In a report developed by KnowBe4, based on Phishing and Social Engineering in 2018, 98% of attackers rely on social engineering as the consider humans an ‘easy target’. [5]

Social engineering is not a new concept and attackers have been manipulating people to obtain access to their network and crucial data for many years. The main approach to defend against social engineering is to inherit social security awareness. It is not possible to eliminate dependency on human intelligence, but there is always a scope of improvising it.

Attackers Know How to Exploit Human Curiosity

In an environment, which is susceptible to cyberattacks, security frameworks should be given a new approach, especially when all business operations are dependent on internet technology. Though the internet has enabled mobility and connectivity, many security challenges can arise if it is not managed efficiently.

Intruders are smarter and sophisticated and know how to target basic human emotions and use them for their benefit. Once attackers get a foothold in the organization through various phishing scams like fake email, malicious content or link, etc. they then search for valuable information on the network, such as intellectual property. Social engineering is a common technique that attackers use to lure targeted employees to make errors.

Legitimate websites that are commonly accessed by the users are increasingly been hijacked without any second thought. Moreover, compromised websites target the specific utility of the users to exploit their reason. These attacks are also vividly performed by following the tactic of a watering hole attack, which is so named because the attackers silently wait for innocent users to fall victim to their malicious trap.

People, Process, and Technology

As errors are purely committed by users who inadvertently share sensitive data, there are upcoming technologies for organizations and users to protect themselves from social engineering attacks. Even though ‘People’ are the weakest link to cybersecurity, they are most commonly ignored when it comes to introducing strategies to combat social engineering attacks. There is a need to raise awareness among employees on potential threats that are often created due to a careless attitude. Employee awareness training should be the key strategy to combat such human negligence attacks. By constantly educating employees about identifying and reporting suspicious risks, organizations can help regulate safety standards.

Overcoming Human Error by Remote Browser Isolation Technology

Remote browser isolation technology is an effective tool to avoid human error. Technology enables transparency while handling browser sessions remotely. It blocks browser threats before they penetrate the network by separating the endpoints from malicious content. Treating the browser individually will eliminate the threats before they spread over a large network area. As an extra layer of safety to the existing security framework, it facilitates virtual browsing sessions safely in disposable Linux containers that run either in the cloud or on-premise. There is another process called Content Disarm and Reconstruction (CDR) that integrates file sanitization capabilities. Organizations can adopt them to protect themselves from malicious content and malware that gets loaded from the internet.

Apart from processes and technology, ‘staying alert’ is the key to steering clear from cyber threats. Being aware of the basic cybersecurity norms to differentiate between normal and abnormal or risky movements on the internet is a must. The Certified Secure Computer User (C|SCU) is an entry-level cybersecurity training and credentialing program by EC-Council, designed to help the candidate gain the necessary knowledge and skills to protect their information assets. The program covers different types of attacks and defines the necessary steps to mitigate their security exposure. It is an excellent certification that every individual should obtain to safeguard themselves from falling victim to critical social engineering attacks.

Source:

  1. https://www.ieee-security.org/TC/SPW2018/WRIT/
  2. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
  3. https://153j3ttjub71nfe89mc7r5gb-wpengine.netdna-ssl.com/wp-content/uploads/2018/04/ObserveIT-Insider-Threat-Global-Report-FINAL.pdf
  4. https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf
  5. https://www.knowbe4.com/hubfs/PhishingandSocialEngineeringin2018.pdf
get certified from ec-council
Write for Us