RECOGNIZING SECURITY RISKS ASSOCIATED WITH HUMAN ERROR AND SAFEGUARDING YOUR BUSINESS
It’s the worst case scenario. You’ve just been notified that your company has experienced a data breach. It could be your company’s confidential information or your employees’ personal data that has been compromised. As you handle the crisis at hand, you keep thinking “how did this happen?”
What if the cause of the breach was something as simple as an employee leaving for the day with their laptop open and logged into your network? While everybody may understand the importance of information security, it’s likely that human error is the root cause of your problem. So, what can you do? Implement training. And don’t limit your training to new hire orientation. Mandate company-wide training that will effectively protect your IT infrastructure. After all, you wouldn’t buy a brand new Maserati and then hand the keys over to a new driver, would you? Hold your company to that same standard and take action to safeguard your business.
The Digital World is Vulnerable
The IT landscape has shifted dramatically in the past five years. Not only are businesses
exploring new models for technology, such as cloud computing and mobility, but they
are also viewing technology more as a strategic endeavor that can directly accelerate growth.
These two drivers are somewhat complementary to each other, but the dual pursuit definitely
creates a more complicated picture for businesses as they consider their IT strategy. It’s not just businesses that are growing. The abundance and sophistication of hackers, combined with greater reliance on interconnected applications, devices and systems, has created a cybersecurity environment that’s challenging for even the best-prepared organizations.
According to report Trends in Information Security, 79 percent of companies believe cybersecurity threats are on the rise and 29 percent of those companies have confessed to a data loss incident in the past year – up from just 19 percent in 2013.1
The effects a data breach can have on a company are somewhat obvious: loss of business, damaged reputation and cost of resolving the incident—to name just a few. But the impact on consumers is exponential. In fact, the global cost of cybercrime against consumers is $113 billion.2
There’s no doubt there is work to do in the cybersecurity space. While there’s a series of factors that complicate security readiness – such as malware and hacking – the human element in cybersecurity is still a valid concern.3
In fact, companies report the human element as the largest factor behind security breaches.
According to the “IBM Security Services 2014 Cyber Security Intelligence Index,” over 95
percent of all incidents investigated involved human error as a contributing factor.
We’re Not Robots
We’re human and we make mistakes. But, if your company has experienced a data breach, you know that your first question is, “How
did this happen?” Identifying the cause as a simple human error that could have been prevented is upsetting to say the least. That said, recognizing the human element as a security risk is the first step toward a complete IT strategy. Creating a culture of high performance that consistently minimizes risk is the key.
With 52 percent of organizations recognizing that the element of human error in cybersecurity threats is increasing, business leaders are taking proactive approaches to prevent an incident and protect their bottom lines.
The IBM and Ponemon Institute’s “2015 Cost of Data Breach Study” found the average cost of a data breach has increased from $3.52 to $3.70 million; with the average cost per record to resolve an attack due to human error or negligence $134 per record.6 Asking what human behaviors are leading to cybersecurity problems is a good place to start.
With more Generation Y employees in the workplace and overall social media use increasing, what your employees are sharing with the world may be a concern. And it’s not just what they may be disclosing, but also where they are sharing information, as social networking sites are a prime target for cyber-criminals.
According to Cisco’s “2013 Annual Security Report” the highest concentration of online security threats are on mass audience sites,including social media. The report revealed that online advertisements are 182 times more likely to deliver malicious content than pornography sites,
Furthermore, these social media mavens may not fully recognize the threat. The Cisco report shows that more Generation Y workers said they feel more comfortable sharing personal information with retail sites than with their own employers’ IT departments.
HUMAN ELEMENT A MAJOR PART OF SECURITY RISK.
But one of the most difficult factors to overcome is general carelessness. This behavior is the primary outcome when security and convenience collide. End-users often know what best practices in security are, but they choose a more convenient solution in the pursuit of efficiency.
Let’s talk about passwords, for example. We all know that a strong password includes a
combination of random letters, numbers and symbols. But that’s hard to remember when
you have 10 different passwords to keep track of at work. So what do we do? Either use the
same password for everything or use a weak password that we can easily remember.
And what about your employees’ mobile devices? Smartphones and tablets that travel to and from the office every day – potentially carrying confidential company information – can be security risks in themselves.
But would it surprise you to know that lost devices are no longer the sole mobility security
incident companies are guarding against?
In the past year, companies have also seen employees disable security features on mobile devices (31%) and experience mobile malware (30%).
With cybersecurity threats ranging from general negligence to mobile malware, how can companies effectively communicate the importance of information security?
Most firms already know what they should be doing but may not be taking action to trigger
a significant change. With regard to human error, better training for everyone is the clear
Better (Not More) Training
Cybersecurity training is becoming a major initiative for many businesses for two reasons:
keeping the technical team up to speed with the dynamic environment, and keeping general staff from creating unnecessary risk as they use technology more and more in their daily jobs.
One third of companies are seeing an additional benefit – the training they are pursuing leads to new knowledge that changes the organizational mindset.
A Harvard Business Review article examined the structure and mindset of the U.S. military
in relation to cybersecurity best practices and procedures. The article found a high performance culture to be the key factor in decreasing human error and preventing security breaches. At the heart of this culture are six interconnected principles, which help weed out and contain the impact of human error
- Integrity –
Cultivating a deeply internalized ideal that leads people to eliminate shortcuts and immediately own up to mistakes
- Depth of Knowledge –
Facilitating a thorough understanding of IT systems that allows those responsible to readily recognize when something is wrong and take the correct measures to handle it.
- Procedural Compliance –
Setting up standards and procedures that employees are expected to follow.
- Forceful Backup –
Recognizing that some high-risk actions should be performed by multiple people to ensure accuracy.
- Questioning Attitude –
Encouraging a mindset that allows employees to trust their gut when something seems amiss and proactively take corrective action.
- Formality in Communication –
Using clear and concise language that leaves no gray area.
Sure, the ideal workforce embodies those principles and sets out to execute them every day. But, how do companies get to that place?
The first step is to take charge.
A recent survey by Oxford University and the UK’s Centre for the Protection of the National Infrastructure found that concern for cybersecurity was significantly lower among managers inside the C-suite than among those outside it. The reality is that if CEOs don’t take cybersecurity threats seriously, their organizations won’t either
Establishing uniform standards and centrally managed training and certification, and then making everyone accountable for their actions, is the best way to take charge.
But, better training is easier said than done. Most businesses struggle with the thought of
providing education. It’s not their forte, and the effects can be difficult to measure. Few
training programs offer direct correlation to business results, and it is especially complicated in an area like cybersecurity where the desired effect is the absence of any incident.
Still, most businesses have some notion of providing foundation training. Currently, 54 percent of companies are offering some form of cybersecurity training, typically done through new employee orientation or an annual refresher course
Businesses readily acknowledge that they would like to see better content in their cybersecurity training. Organizations are also looking for a training tool that offers better
administration tools, as well as more real world examples to make for a more engaging
and user-friendly program.
Cybersecurity is for everyone, not just the IT department. All the time and capital you’ve invested in a robust security plan means nothing if human error is not addressed. Protect your company, your employees and your security investment by ensuring everyone in your organization is executing best practices when it comes to information security.
Audit Expertise Comptable LLC is a premium Auditing, Consulting and Training firm involved in coaching, assisting and auditing, facilities to be certified to international standards. AEC will make sure that all changes to regulatory requirements are communicated to manufacturers during consultation and that documentation change requirements are fully met. Over 25 years the firm has been engaged in this business and has helped over 700 facilities in achieving their certification goals. AEC has a disciplined 10 Step path towards certification which is insensitive to failure. AEC has helped organizations to get certified not only ISO 13485 but also to several other International Standards such as ISO 9001, ISO 14001, ISO 27001, ISO 50001, ISO 45001 and sector specific standards such as, IATF 16949:2016, AS 9100 D, TL 9000, FSSC 22000:2018, SQF edition 8. BRC-8 IFS in food safety and many more. Please visit our website www.aeciso.com or contact for immediate assistance e mail: firstname.lastname@example.org