days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
Addressing the Human Factor in Cybersecurity Risk
Better technology tools and modernized IT systems are crucial components of a strong cybersecurity posture. But the ever-present human factor must be addressed as well. Consider Verizon’s 2022 Data Breach Investigations Report, which found that over 80% of cybersecurity breaches involve some form of human error.
The fact is, human error remains a major threat in cybersecurity, and the financial sector is particularly at risk due to the sensitive nature of data and systems that employees deal with on a daily basis. Let’s examine more closely the cybersecurity risks posed by human error, and steps that financial services organizations can take to minimize these risks.
Human Error Creates Cyber Risk
Human error is, by definition, unintentional; but innocent accidents can still lead to outsized risk. The risks are everywhere – often lurking in the mundane, everyday tools that all employees use, such as business email accounts. In fact, more than 3 billion fake emails are sent worldwide, a volume that makes it hard for employees to sift through potential phishing attacks or ransomware traps. Making matters worse, these attacks are getting more sophisticated with advanced social engineering strategies.
In one common attack, malicious actors scan online for company hiring announcements, LinkedIn posts and other clues about new employees at a target company. The new hires are then targeted with fake emails “from the CEO” demanding access to sensitive customer information for a “last minute presentation” they’re putting together. The eager-to-please rookie employees comply – and instead of saving the day for the CEO, they just gave malicious actors access to company data and proprietary secrets.
Other risks include employees inadvertently sending sensitive information to the wrong person or in an unprotected format, downloading corrupted attachments or using unauthorized software that contains application security (AppSec) gaps. Managers can make matters worse when, instead of viewing mistakes as teachable moments, they focus on punishment – which makes employees less likely to come forward or freely share information about what went wrong.
Process and Technology Steps to Minimize Human Error
Fortunately, organizations have options for reducing human error, starting with adopting a consistent approach to workforce training. A program of regularly-scheduled and organization-wide workforce trainings can drastically reduce instances of human error. The best of these programs employ customized and interactive exercises, such as controlled phishing simulations that test employee responses to phishing attacks.
Another way to reduce human error is to strike the right balance around the seamless vs. secure conundrum we discussed in a previous blog post. When security policies impede productivity, employees are likely to find workarounds that introduce enterprise risk. That’s why it’s important to find a happy medium that balances good security with access to applications and information. And be sure to use strong encryption and the principle of least privilege and strong encryption in setting up access management protocols.
Two tools that are particularly useful in this realm are Data Loss Protection (DLP) and Azure Information Protection (AIP). DLP prevents the illicit transfer of data beyond your organization’s walls via deep content inspection and constant monitoring. AIP, meanwhile, is a way to encrypt and watermark documents before they are shared – and to retain control over viewing and editing privileges even if they’ve already been accidentally forwarded to a non-approved party.
These are just some of the ways organizations can help keep human error risk at a minimum. And regardless of a company’s exact recipe for achieving this, the most successful approaches are ones that blend direct employee engagement together with the right underlying technology tools and processes to secure the organization.