A deviation from intention, expectation or desirability
That is a definition of human error and in the context of cyber security human error is certainly not desirable!
Even the most careful and diligent of us make errors in life, in the workplace it’s normally because we are under pressure to complete tasks or projects against tight deadlines and we lose sight of some of the day to day norms that govern the way we do things or the actions we take.
Human error is regarded as an insider threat and recognised as a major risk to a secure cyber landscape in businesses and organisations, but errors are just that and should be acknowledged as such when cybersecurity solutions are implemented.
Organisations have to be very careful when a data breach or malware infection occurs as result of staff intervention, the blame game is easy to play but first you should look at the procedures, policies and training that inform their actions.
Errors occur when staff have not been properly trained in company policy, best practice or cyber awareness. If a member of staff opens a malicious attachment in a phishing email have they been properly trained to be aware of social engineering threats and the risks to the business of opening that document?
The Kaspersky Lab IT Security Risks Survey 2017 (undertaken by B2B International) studied 5,000 businesses on a global basis. The survey found that careless or uninformed staff are the second most likely cause of a serious security breach, second only to malware. In 46% of cybersecurity incidents in the previous twelve months careless or uninformed staff had contributed to the attack.
Now the difference between “careless” and “uninformed” is an interesting distinction, and one where we might see the blame game rearing its ugly head. In reality, both of these point towards the need for really good staff training. Training on company IT and data usage policies and also cyber awareness.
The obvious starting point are the uninformed but even the informed become careless and training is one way to not only make staff aware of company expectations but to also help the careless understand that data breaches and attacks can threaten the very existence of the organisation they work for.
Yes, it’s important to stress policy requirements and take staff through the various external threats and how to mitigate them, but training should also promote best practice and the importance of the company’s lifeblood – its data. With GDPR coming into force in May 2018 this is a particularly important issue.
Finally, training should be ongoing. Regular, engaging and relevant sessions will inform the uninformed and make the careless less so. Setting out your organisations standards and expectations may be part of the induction process, but once is not enough. Your business will change, the cyber threat landscape changes constantly and so should the information you pass to your teams.
Help your staff to help your business and its assets stay secure.