It may surprise security leaders to learn that the primary cause of most cybersecurity breaches is human error. Consider this: Verizon's Data Breach Investigations Report in 2023 unveiled that a staggering 74% of data breaches resulted from human errors.
In the growing digital world, cybersecurity has become more important than ever. But it's not just about advanced tech solutions. The human element can often be a challenging, constant problem. Over 50% of incidents within the realm of Social Engineering, a significant method of cyberattack, involve Business Email Compromise (BEC) attacks. These deception-based cybercrimes highlight the vulnerabilities in human interaction with technology, reminding us that people are often the weakest link in IT and OT cybersecurity.
The impact of human error on cybersecurity breaches has been highlighted in numerous reports. For instance, the 2023 Verizon report showed that everyday mistakes, like using weak passwords, not updating systems, or just clicking on risky links, caused most breaches. A survey also found that about 80% of tech professionals thought human error was the biggest risk to their control systems. Alarmingly, a whopping 83% of them believed there was a serious lack of cybersecurity-related skills in workers, which could worsen these issues as less experienced staff may make more preventable mistakes.
Some real-life examples show just how much damage these human errors can cause. Take the Freeport LNG natural gas plant explosion in 2022 and the Oldsmar Water Facility Attack in 2021. Both incidents were initially considered cyber-terror attacks, but simple human mistakes caused them. These included shared passwords, outdated software, and a lack of firewall protection. Another famous example is the ILOVEYOU worm in 2000. This virus infected 50 million Windows PCs in 10 days, causing billions in damages. It worked by taking advantage of people's habit of opening email attachments from known sources.
The rise of advanced technologies like large language models (like ChatGPT) and deepfake technologies also increases the chances of people being tricked. These methods can create very realistic-looking cyberattacks that can fool even the most cautious people. So, as we rely increasingly on digital technology, it's clear that the human element in cybersecurity continues to be a significant challenge.
Unraveling the human aspect: How we accidentally aid cybercriminals
Continuing on the human factor in cybersecurity breaches, let's delve into some common ways in which people unknowingly make things easier for cyber attackers:
- Open-Source Information Gathering: It may be surprising to know how much information cybercriminals can gather from public sources like employees’ social media pages, company websites, and blogs. This information can be used to craft convincing phishing attacks.
- Unauthorized User Changes: Ever heard of 'shadow IT'? It's when staff make changes to the IT system without letting the right people know. This can open up holes in your security that hackers are only too happy to exploit.
- Everyday IT Weaknesses: Hackers can find plenty of ways into your network through insecure setups, improper account controls, and too many privileges given to the wrong accounts. Suppose your staff isn't aware of these potential issues. In that case, hackers can easily move around your network, steal data, and plant malware.
- Outdated Systems: Old tech isn't just slow and inefficient; it can also leave organizations wide open to cyberattacks. Even small, seemingly unimportant systems like elevator controls can be a weak point if they aren't secured properly.
- The Kindness of Strangers: It's human nature to want to help others, but this can be used against us by cybercriminals. For instance, within an OT environment, an individual could get an urgent call. The caller might pose as a safety inspector needing immediate access to a control system due to an alleged threat. In the urgency to address this "risk", the individual could unknowingly grant unauthorized access, leading to potential cybersecurity breaches.
- The Accidental Hacker: Sometimes, your own staff can unintentionally become a hacker's best friend. This can happen if they use an app or a tool on your company network; not knowing it could let hackers into your system.
- Limited Training: Many companies think cybersecurity training is just for the IT department, but that leaves many staff needing to be aware of potential threats. Everyone in your organization should know about the basics of cybersecurity. After all, a chain is only as strong as its weakest link.
Strategies to boost security awareness
Having explored how human actions can inadvertently aid cyber attackers, it's clear we need effective strategies to heighten security awareness. Let's consider some approaches that organizations can take:
- Fostering a Security-First Mindset: Leaders should make a point to stress the importance of cybersecurity, making it part of the company culture at all levels.
- Teaching About Phishing: Staff should be made aware of the common tactics used in phishing attacks and how to recognize them.
- Tackling Shadow IT: IT departments need to monitor and control the use of unofficial IT resources by staff members or entire departments.
- Setting Up a Password Policy: Guidelines for creating and managing passwords can help users improve their security. Consider adopting tools like single sign-on, secure password managers, and multi-factor authentication.
- Raising Awareness of Social Engineering: Employees should be trained to recognize attempts at manipulating them into revealing confidential information through techniques such as spear phishing, reverse social engineering, 'friendly' hackers, and SMS phishing.
- Ensuring Vendor Security: When partnering with outside vendors, make sure they have robust security measures in place. Ask about their monitoring software, view their IT audits, and encourage the use of change detection software.
- Implementing a Zero-Trust Approach: With this strategy, nothing is trusted by default, and access is restricted to only what's necessary for a job. This method considers the potential for threats to be always present, verifies all parts of the IT system, and keeps access to a minimum.
- Providing Regular OT and IT Training: It's crucial to regularly update your OT and IT staff on company security policies, stressing the importance of adherence to protocols.
- Setting Security Basics: Enforce the use of secure, frequently changed passwords, limit access privileges, and ensure the network is always up-to-date with the latest patches and upgrades.
- Staying on Top of Threats: It's essential to stay informed about new vulnerabilities and threats, using this knowledge to maintain a robust security stance.
The imperative of human-centered cybersecurity measures
It has been seen how crucial it is to address the human factor in cybersecurity through past examples such as the ILOVEYOU worm, the Freeport LNG natural gas plant explosion, and the Oldsmar Water Facility Attack. These historical incidents emphasize the need for robust cybersecurity measures that take into account human behavior and its potential to create vulnerabilities.
It's essential to underscore the vital role of cybersecurity education for everyone within an organization. Far from being a peripheral consideration, comprehensive training for all employees forms the backbone of a secure digital environment. Alongside this, it's equally critical for external vendors to maintain high cybersecurity standards, including thorough authentication procedures and proactive alerts for suspicious activities.