How to Mitigate the Human Risk to Security

Instead of throwing millions of pounds at costly, hard-to-use software, tackle the root of the problem through security education and training.

Last year, IBM conducted a cyber security study looking at over a thousand organisations, ranging from 1,000 to 5,000 employees in size. Over the period of the study, the organisations experienced a combined total of 91 million security events. Of those 91 million events, a staggering 95% involved a single, unifying factor - “human error”.

Whilst this prevalence of human error may appear to be bad news, it’s actually a huge opportunity for security-conscious organisations. Despite increasing rates of technology adoption, and an ever-growing awareness of the need for information security, it’s an organisation’s employees that play the biggest role in security. Instead of throwing millions of pounds at costly, hard-to-use software, they can tackle the root of the problem through security education and training.

To help your organisation mitigate the human risk to security, we’re looking at some of the most common causes of “human error” - from poor password security to shadow IT. By raising awareness of these issues, and offering suitable training, you can have a dramatic impact on your organisation’s security.

1) Poor Password Practices

Password security is a huge security issue. Despite a plethora of high-profile data breaches, changing employees’ password habits for the better has proven to be a serious challenge for most organisations. However, as long as your organisation tackles the issue head-on, it’s possible to dramatically improve password security in a relatively short timescale:

  • Create strict rules for password usage, including a minimum length, a ban on complete dictionary words, and a requirement to use different character types (including uppercase and lowercase letters, numbers and keyword symbols).
  • Consider rolling out an organisation-wide password management application, like LastPass Enterprise.

Learn more: Identifying Common Password Attacks

2) Shadow IT

Shadow IT refers to the growing problem of unauthorised software usage. With a growing trend towards cloud-based services, and increasingly blurred lines between personal and professional work devices (see below), employees are regularly using insecure applications to handle sensitive data. Worse still, IT and security departments are rarely aware of the problem. The first step in resolving shadow IT is to understand its root cause. Typically, employees turn to unauthorised applications to streamline their day-to-day lives, and fill gaps in their organisation’s processes. By understanding the problem shadow IT is solving, you can take steps to create a secure, officially mandated alternative.

Learn more: The Security and Risk Management of Shadow IT

3) Phishing Attacks and Social Engineering

Both phishing and social engineering attacks use manipulation to earn the trust of an organisation’s employees, and gain access to sensitive information. Most commonly, phishing takes the form of emails and social media communication, creating fake webpages and login portals to encourage users to part with their login details. Social engineering is even bolder; with malicious attackers using phone calls, fake social media accounts and on-site visits to collect sensitive data. The risks of these attacks can never be eliminated; but their threat can be significantly reduced by vigilance, heightened security awareness, and regular training.

Learn more: 9 Info Security Mistakes Employees Make Time and Time Again

4) Compromised Mobile Devices

Bring Your Own Device (BYOD) refers to the growing trend of using personal smartphones, tablets and laptops to perform business tasks, and access sensitive information. Despite offering huge benefits in terms of productivity and flexible working, this growing trend poses serious problems for security. Insecure connections can often be used to gain access to sensitive information, especially when business data is stored locally on a personal device. As well as the risks of remote access, personal devices are stolen on a regular basis – risking the integrity of any data stored on them. Creating an explicit BYOD policy is crucial component of mitigating this aspect of the human risk to security – allowing employees to use their own devices in a secure and tightly controlled way. Local storage of confidential data can be prevented, and secure work applications (like Samsung’s KNOX platform) can be used to protect the device’s contents.

Learn more: The Impact of BYOD on Organisation Security.

To learn more about the human risk to security (and how to mitigate the threat), download our free whitepaper.

Get Switched on

Subscribe to our newsletter to keep ahead in the industry, and be the first to access new reports and white papers.