Did you know an estimated 95 percent of cyber security breaches could be traced to human error in 2022?
While most companies put time and energy into patching technical vulnerabilities in their systems, they may not realize their biggest security threat could be their own employees.
Now before you break out in a cold sweat – it would be a shock if anyone on your team actually has devious plans to hack your system. But the reality is that employees may accidentally put their companies at risk for cyber attacks through human error and lack of cybersecurity training.
This is especially true for the financial service industry, the second biggest target of cyber security attacks in recent years. Credit unions, community banks, and brokers and dealers are uniquely targeted by hackers to exploit their technological vulnerabilities and gain access to sensitive information.
While a lack of training can give way to increased cyber threats and user error, proper education is the best defense.
Employee training makes a world of difference for the security of your organization.
In this article, we’ll explore how human error contributes to cybersecurity risks and the measures your team can take to mitigate them.
[This article is part of our Guide to Cybersecurity]
Humans: The biggest vulnerability to computer information security
Cyber threats are becoming increasingly complex. And financial services companies must evolve too – using more sophisticated tools to fight those outside threats.
But businesses are learning that a great security system isn’t always enough to win the fight – the users within that system need to understand what they’re up against, and how to safely carry out their jobs without sacrificing the security of their organization.
Even when we’re being careful, every human is fallible. The only way to address these vulnerabilities is to increase your team’s risk awareness by teaching best practices and common pitfalls to avoid.
Some of these pitfalls include:
Human errors in cyber security
The most common types of human errors are:
Taking the Bait in Phishing Attacks
One of the most frequent employee errors is accidentally clicking on malicious links or downloading attachments from phishing emails.
This can be an embarrassing mistake to make, but the reality is, hackers are experts at sending emails that appear legitimate. Implementing spam filters that block phishing emails is one helpful option, but it’s not foolproof — sometimes emails still make it past screening.
Your team needs to know how to spot phishing attempts and the procedures they should follow when they encounter one.
Using Weak Passwords
Is Fred from HR still using “Spot123” for every password?
Weak and guessable passwords are one of the most preventable ways hackers can access entire databases.
Enforcing strong password policies, requiring regular password changes, utilizing multi-factor authentication (MFA) and using password managers provide a significant layer of security for your company.
Mishandling Sensitive Information
Educate your employees on what qualifies as sensitive information (this could be social security numbers or other personal identification data, bank account information, and other valuable customer data), and how you expect them to handle that information. Data encryption education will prevent malicious actors from having the opportunity to access confidential information.
We find that many times, the process for handing information is cumbersome and why employees resort to old habits or shortcuts that simplify their workflow, but put your customer data at risk. Keep an open dialogue with your employees to ensure your cybersecurity policies align with their best processes.
Using unsecured devices or networks
Logging on to your company intranet through an unsecured or public wifi network could put your data at risk. This is also true if they log on via an unsecured device, such as a personal or public computer. Provide company computers and secure wifi networks so that your employees never have to question whether their platform is secure.
To protect company software from outside threats, it’s important to ensure employees are always using the most up-to-date versions and have automatic updates enabled.
Why do employees keep making the same mistakes?
You may be wondering: do people still do these things? The answer is yes — all the time!
The truth is, despite the available education to mitigate cyber attacks, it is easier than ever to exploit human vulnerabilities. While practicing vigilance may seem like common sense, there are psychological reasons why many employees let their guard down.
With burnout on the rise, employees are stretched thin and struggling to keep up with workloads. This can make vigilance against cyber threats a team member’s last priority.
Additionally, stressed and tired employees are more prone to small mistakes that add up over time. Further, the rise in remote work has led to higher levels of distraction while working — creating easy targets for exploitation.
Lastly, because employees fear punishment and even termination for making a mistake (one in every four culprits losing their job within a year of a breach), they are less likely to report their mistakes in an effort to protect their reputation and job security.
These human errors are especially pronounced in high-pressure environments like the financial services sector, where days can be long and demanding.
So while it’s critical to recognize the human element when developing a cybersecurity strategy for your company, it’s also critical to prioritize caring for your team with a holistic approach. Education is important for your employees, but so is setting them up for success with their workloads and peace of mind knowing that if they do fall prey to a hacker, it’s better to tell their organization than try to hide it.
Cybersecurity is a company-wide effort, from top-down initiatives and education to individual responsibility and vigilance.
Creating a culture of vigilance through employee training
As you develop individual education and support for the team as a whole, let’s look at some of the best ways to create a risk-aware team:
Provide continuous training
As criminals find more ways to infiltrate your systems, it’s vital for your team to stay up-to-date on new risks through regular training sessions.
Be clear about what’s at stake
If your team doesn’t know what’s at stake in a data breach, they may not be motivated to stay alert. Make it abundantly clear that data breaches spell financial disaster, reputation loss, loss of client trust, and potential loss of job security.
Repeat the basics
Take the time to teach basic cybersecurity protocols like proper email use, handling sensitive data, spotting phishing, and password hygiene. While some of this may seem obvious, always assume someone else could be learning this for the first time.
Teach through simulations
It’s one thing to learn by hearing, it’s another to learn by doing. Have a cyber attack plan in place that your entire team is familiar with. It’s even better to test the plan through a simulation so everyone can practice in real-time and catch any snags in your system.
Put employees to the test
Want to see how well your team was listening? Send them a fake email pretending to be their manager, and see how they respond. Do they engage with you or report the email?
Practice what you preach
If you set an example of cyber vigilance within leadership, your team will be more likely to follow suit. If you’re flippant about security, they’ll have no reason to take it seriously.
Use a risk-based approach
Teach employees that when in doubt, always err on the side of caution— the effort it takes to verify a suspicious email is small compared to the time and money lost in a breach.
Implementing a comprehensive cybersecurity strategy for your team won’t be accomplished in a single afternoon training session. To minimize your risk, you must implement a culture of security awareness over time. It’s a commitment that’s worth the effort.
The importance of continual testing and assessment
In the same way you should be continually training your employees, you should also be continually testing your systems for vulnerabilities.
There are a few ways to do this:
- Cybersecurity assessment
This general assessment includes scanning your wireless and host networks to identify possible access points or vulnerabilities, finding old passwords still in use, and accounts that need to be retired.
- Quarterly vulnerability assessments
Internal and external vulnerability assessments are used to look for vulnerabilities inside and outside your network.
- Penetration testing (also known as “Pen testing”)
This kind of test is also known as ethical hacking because an authorized cyberattack will be used to test how difficult it is to breach your system.
These exercises are used to identify weaknesses in your team’s response to phishing attempts. If no one takes the bait for an attack, that’s great news. If some fall prey to the phishing simulation, you know there’s more security education to be done.
An equal emphasis on human and technical vulnerabilities helps you create a stronger line of defense so that your company is fortified from attacks on every side.
Is it time to reevaluate your cybersecurity focus?
Your biggest cybersecurity vulnerability is the person using the computer.
Regarding information security, it’s not enough to focus on technical risks alone: you must put equal effort into continuous testing and employee training.
It may be time for your company to reevaluate its cybersecurity strategies and implement a renewed focus on educating and equipping your team to face cyber threats. Partnering with an experienced MSP to help teach your team could be the difference between falling victim to a breach or staying protected.
Schedule a call with an InfoSystems Cybersecurity expert to get answers to your questions.
[This article is part of our Guide to Cybersecurity]
InfoSystems is an IBM Platinum Partner
Meet with one of our IBM specialists to ask questions and talk about IBM Storage, IBM Security, IBM Watson, and other premier solutions from IBM.