Excerpted from Spiceworks, “Oh the humanity: Human error, Data security, and you,” by Mason Lerner, November 6, 2017
Nobody’s perfect. In fact, we know some end users are so flawed that downloading an app from an untrusted source on an open Wi-Fi network is no big deal to them. They don’t realize they’re putting themselves and others at risk by downloading free copies of games from sketchy websites to save a few bucks. They’re not trying to allow their sensitive data to be compromised. They just don’t know any better.
And even users who do know better make mistakes. Kicking yourself for being an idiot every once in awhile is part of being human. That’s why it probably won’t surprise anyone that research revealed that human error is responsible for nearly two-thirds of all data breaches. The same study shows that unsafe web pages and hacking combine for only nine percent of all data breaches.
As scammers get more sophisticated, human nature stays pretty much the same. In light of that imbalance, what are IT pros doing to keep users on their toes so they don’t inadvertently break something or share confidential information?
Eric Kron is a data security veteran and has to stay ahead of the security curve in order to do his job.
“Over and over I talk to people in security and having been there myself for many years, users continue to cause us problems,” said Kron. “That’s a fact of life that’s just part of being human. A lot of these folks aren’t terribly technical. They don’t necessarily have technical jobs so when it comes to some of these sorts of things that go wrong, they’re not as careful as they should be quite frankly.”
According to Kron, this lack of knowledge is particularly dangerous given how much power users have these days.
“Think about what a user can do with their cell phones — the access they typically have to email, documents and potentially sensitive information,” he said. “All that stuff is in their pocket. They don’t necessarily think about the damage it could cause if that data is compromised.”
He said that power doesn’t always come with great security training. “We’re giving the users all of this power, but a lot of organizations aren’t training them on how to be careful with it or the appropriate precautions that come with that sort of power,” he said.
This type of thing happens every day and has been for years (kind of)
Kron said that while old classic phishing emails are still one of the hackers’ primary tools, they’re more sophisticated than ever.
“The days of the Nigerian prince scam are done. That’s gone.These [attacks] are well crafted. They use outstanding grammar and English. There are actually services on the dark web where hackers can have their work checked for that, which guarantees higher click rates,” Kron said.
“Users half the time don’t even know they’ve lost their credentials,” he said.
Human error: Not just for non-techies (still just for humans, though)
Kron also pointed out that it’s not just non-tech types who can be victims. In fact, he’s been a victim himself. Kron is living proof that anyone can be a victim. Shortly after beginning his gig at Knowbe4.com, he fell for a simulated phishing scam himself.
“I was in the airport,” he said. “I had been on board maybe two months or so. And I get an email from Stu Sjouwerman, our CEO. It says that he wants to talk to me about some things he had heard about my presentations. I do a lot of presentations on the road. It was a Google calendar invite, and I was immediately like, ‘What did I do?’ I’m a little nervous. I’m new onboard. So I hit Accept, and it was one of our simulated phishing emails. It was diabolical.”
Obviously, the more a company’s employees are aware of the threats out there and how to deal with them, the less IT pros will have to deal with the fallout. Although the phishing attacks have gotten more sophisticated, a lot of the strategies for eliminating human error remain the same. Just telling employees what not to do doesn’t count as data security training. To bring non-tech employees up to data-security par it is important to supply engaging, entertaining training materials.
Once users know what to look for and who to report it to, preventing data breaches caused by human error follows an old formula: Don’t use important dates or your kids’ initials. Don’t end with an exclamation point. Don’t use the same password for multiple sites. In other words: Basic defense tactics are still good policy, but innovative scammers require tech pros to find creative ways to reinforce them with end users.
CHI has a variety of security solutions to protect your data from human error. Contact us today for a demonstration.