How can organizations mitigate the security risks caused by human error?
There’s a great quote which goes along the lines of “To err is human, but to really foul things up requires a computer”. When applied to cyber security this can fit very well, as human error is a major contributing factor towards data breaches. People are inherently prone to making mistakes, and when working with complex technology the risks are massively amplified. It’s hardly surprising, therefore, that almost three-quarters (74 percent) of CISOs view human error as the most significant cyber security vulnerability, according to a recent study.
Examining the issues relating to cloud security more specifically reveals a wide variety of people-problems. From technology misconfiguration and phishing to multi-factor authentication (MFA) errors, social engineering, and alert fatigue, exploiting our shared propensity for making mistakes has become a focal point for threat actors.
Take the security issues associated with MFA, for example – an approach to security actually designed to help mitigate the risks that can result from human error. Until recently, MFA was able to prevent the vast majority of cybercriminals from accessing restricted services, even if they were in possession of usernames and passwords. In this context, if a user was tricked into handing over login details, MFA would provide that added layer of protection.
The issue today is that MFA systems themselves are now being targeted by hackers, who are using highly effective strategies to circumvent what was previously seen as a robust security process. Part of the problem here is the large number of push notifications users can receive as they access multiple systems or services on a daily basis. This can mean employees become less inclined to give each one their full attention, and if a user approves a rogue MFA request by mistake, attackers can easily gain unauthorized access to sensitive systems and data.
Employees are under attack on multiple fronts. What can seem like completely benign activities, such as posing for a work-related photo, can unwittingly expose security details, such as those shown on laptop screens or security badges. Once posted online somewhere, these images provide cybercriminals with a rich source of information, including everything from helping them to identify which enterprise software applications to target to employee details that can be used to set up an attack.
Elsewhere, employees who connect their mobile phones to enterprise WiFi can inadvertently expose their corporate network to attack. This can happen as a result of risky online behaviors during break times or via mobile malware that is sitting dormant on their personal devices. Either way, employers have to employ increasingly sophisticated security tools to ensure access is properly restricted.
These are difficult challenges to address, and making the situation even more complex and alarming is the widespread use of AI by threat actors looking to raise their game. For example, AI-driven phishing and social engineering attacks use highly personalized and convincing phishing emails, mimicking human behavior or trusted contacts. This can significantly increase the likelihood of users unknowingly providing credentials or sensitive information.
There’s also the risk that security teams might become overly dependent on AI systems to detect threats, assuming that AI is less likely to make mistakes than people. If, however, the AI misclassifies or overlooks a genuine threat, operators may ignore critical issues. In addition, AI-powered security systems can generate large volumes of alerts, some of which may be false positives. The danger here is that security teams might become overwhelmed, leading to missed genuine threats – otherwise known as alert fatigue.
Addressing the risks
So, what can security teams do to identify and address the risks associated with human error? The first thing to understand is that it’s practically impossible to eliminate these issues entirely, but effective mitigation strategies can help close a lot of the loopholes that currently exist.
For example, according to the Cloud Security Alliance, the misconfiguration of cloud-based applications or platforms is a leading cause of data breaches, followed by poor identity and access management controls. Organizations should, therefore, ensure they follow the architectural best practices and policy recommendations provided by cloud service providers on how to secure interfaces and APIs. In addition, these best practices should be well documented and all employees informed of cyber and cloud security protocols, which the organization must actively enforce.
Almost everyone will be familiar with the benefits and limitations of security awareness training, but it remains a vital tool for improving protection levels. What does need to change, however, is that training should be more precisely designed around individual users based on the likelihood of them being targeted and the role-related risks they face. It should also be mandatory and regularly updated to keep users current on the latest techniques employed by cybercriminals.
For instance, by educating employees to become better custodians of their credentials, organizations can reduce the likelihood of a successful phishing attack and safeguard their valuable data. What many of these measures have in common is a requirement to improve existing strategies. In the case of MFA, where the risks continue to grow, biometric authentication, such as fingerprints, facial recognition, or iris scans, offers a more secure additional layer of identity verification.
AI also has a positive security role to play. Today’s powerful AI tools are capable of sequencing huge volumes of data around event patterns and alerting security operatives when their intervention is needed. By eliminating the alert fatigue that can lead to critical threats being missed, security teams can more efficiently and accurately detect threats and vulnerabilities in real time.
Bring these various elements together and organizations can do a great deal to address the security problems associated with human error. Adopting the right mindset is crucial, and focusing on continual improvement can hold the key to better protection over the long term.
Image Credit: Antonio Guillem / Dreamstime.com
Chris Jackson is Chief Product and Technology Officer at Six Degrees.