Your employees are your biggest cyber security risk. Here’s what you can do to address the human error factor in your risk profile.
The Federal Budget has just been announced, and with it came a text from the Government promising Australians a one-off payment of $750 delivered through a simple link…except that message is not from the Government, but the latest in a long line of scams designed to get people to hand over their personal details.
The timing and seemingly legitimate MyGov link highlight just how sophisticated these phishing scams have become lately. And with recent examples of AFL footballers, celebrities, job seekers and even large corporations falling victim to these scammers, it seems no one is safe – and it’s costing us big time.
The phishing scam is just one example of a worrying trend in cybercrime: criminals exploiting one thing even the best defences can’t overcome: human error.
What is a human error in cyber security?
Human error in cyber security covers any mistake or action by an individual that inadvertently causes a security breach. This can include anything from clicking a link in a phishing email or text, inserting a malicious USB drive into a computer, giving a scammer remote access, or failing to download an important security update. A recent, even more sophisticated trend is spear phishing, where attackers will personalise their message using legitimate information about the target to lower their defences and gain a level of trust.
The big issue with human error is that it exploits vulnerabilities in our very nature. From a distracted employee absent-mindedly clicking a link, to a curious individual wanting to see what exciting secrets a USB they found contains, it can be hard to predict exactly where the threat will come.
How big is the risk from human error?
BIG. A recent report from the World Economic Forum found that it was responsible for 95% of all cyber security incidents, while IBM and Ponemon’s 2022 Cost of a Data Breach Report found that phishing attacks were the costliest for businesses, with an average cost of AU$7.4M.
The cyber security landscape is evolving rapidly, making it hard for organisations and their employees to stay up to date with the latest exploits.
So not only is human error a massive threat to cyber security, it’s not going away any time soon – but there is hope.
What’s the best defence against human error?
Security awareness training is the best way to protect your business against human error related cyber security threats. Educating your team about the risks that are out there, and their role in stopping them, makes your organisation much less vulnerable.
An effective training program should provide practical advice on identifying suspicious emails, texts and other social engineering attacks (another word for a cybercrime that exploits human nature), and password best practice. These should then be tested in a practical application to assess and track the organisation’s overall levels of cyber maturity.
It should also highlight the latest tactics and techniques that hackers are using to trick people into giving them access or handing over sensitive information. This is why regular awareness training is essential to reducing the risks posed by human error. The specific methods criminals are employing now are vastly different to those they were just a year ago. If you’re not keeping up with them, you’ll lose the race.
Importantly, effective training should leave employees feeling empowered. They should come away not only with an understanding of the threats they’re facing, but a sense of responsibility as the first – and arguable most important – line of defence against cyber threats.
Even with the best cyber security in place, you’re only as strong as your weakest link. In most cases, that’s your people. But as much as a breach may be down to a careless, distracted, tired – or cyber uninformed – team member, the real responsibility lies with their employer. Fortunately, the solution is simple: annual training and regular refreshers to keep it front of your employees’ minds – because exploiting them is never far from the minds of cyber criminals.