If you’re a security professional, you already know that human error is the biggest problem for corporate security; roughly 95 percent of security breaches are from human error.
Hacking attacks and cyber espionage capture the headlines, but the real danger for organizations, whether financial firms or retailers, is the spreadsheet casually left on an insecure personal computer, the password on a sticky note, the email clicked that should have gone unopened.
The trouble is what to do about human error. At least until artificial intelligence advances a bit more, humans handle sensitive corporate data. There’s no perfect solution for this inherent problem.
There are techniques for minimizing security risks from human error, however. Here are five tips we recommend for reducing the cybersecurity risk from humans.
Tip #1: Host Cybersecurity War Games
Employee security education is an obvious starting point for companies that cares about security. But many firms deliver dull presentations during employee onboarding and leave it at that, or maybe throw in a few company-mandated security seminars.
But everyone knows this doesn’t work so well. A better spin on employee security education is gamifying it through company-sponsored cybersecurity war games.
The concept is both fun and elegant: Instead of boring security presentations, host a regular company-wide war game where some employees are tasked with stealing corporate data and others are entrusted with securing it. You might include some of your IT security team on each side, too, as team leaders who can guide less security-minded employees.
These war-games can dramatically boost cybersecurity awareness for employees—and possibly even help you uncover a few security holes in the process, human or otherwise.
Tip #2: Classify Data According to Sensitivity—Then Lock It Down
Much of an organization’s cybersecurity risk comes from seemingly innocent employee behavior such as copying files that really should be under lock and key. This usually happens because firms haven’t assessed the scope of their data footprint and set up sensitivity categories that can automatically inform rights management.
So a second tip to ward off human error is to take a full inventory of your company’s data, then establish a sensitivity classification system for easily and automatically applying appropriate rights management to the data in each category.
Rights management combined with automation is a key for minimizing human error, but it only works well when organizations have clear data classification that can be fed into access control systems.
This is such an important tip for defending against human error, we’ve produced a free guide you can download [note: link to ebook#1] that shows you how to set up a data sensitivity classification scheme for your organization.
Tip #3: Automate File Monitoring
Even well-developed access control systems suffer from two issues that feed off of human error: sensitive data can be copied or photographed onto insecure personal computing systems during the normal course of business, and new documents are created all the time by employees that might be of a sensitive nature but off the radar of the cybersecurity department.
One way to almost entirely avoid these challenges is through automated file monitoring solutions that scan employee devices for the creation and movement of corporate data. Solutions such as Qohash’s cloud-based Qostodian Prime platform can flag corporate data that appears in a Word file on an employee’s personal computer at home, as well as sensitive documents that innocently migrates to an employee’s Google Drive during the normal course of business.
Tracking corporate data resources through real-time monitoring goes a long way toward heading off incidental human error before it becomes a problem.
Tip #4: Consider Behavioral Analytics Security Solutions
People make bad decisions sometimes, especially when working from home and trying to finish a task before dinner like so many workers are doing right now during the pandemic. It might be opening an email they shouldn’t, exposing themselves and corporate data to a phishing attack. It could come from trying to access resources they shouldn’t. It possibly could involve copying and pasting data that shouldn’t be copied in the name of getting more done. Things happen.
While cybersecurity education and file monitoring can help with these issues, a third layer of defense against human error is monitoring employee activity through artificial-intelligence-based behavior monitoring solutions that can flag risky behavior as it occurs.
Many solutions exist, including some that also work with remote employees. These solutions often are a secret weapon that helps IT security professionals sleep more soundly at night instead of worrying about the countless ways employees are exposing the company to risk.
Tip #5: Enforce Multifactor Authentication Wherever Data Lives
We all know passwords are insecure. They get reused, they get shared, sometimes they get stolen. All of these are human errors that can quickly lead to massive security concerns.
There’s a reason that companies such as Apple have basically done away with passwords and moved to face-scanning and multifactor identification (MFA): it works, greatly reducing the human error around login security.
Many security professionals already have multifactor authentication protecting select systems, such as customer login portals. But a pro tip for combatting human error around system logins is to reinforce all corporate data systems with MFA.
There are several tools on the market that can provide this MFA enforcement, some of which have the fringe benefit of reducing employee login friction through less intrusive passwording.
Human error isn’t going away any time soon. With these five tips above, however, you can greatly reduce the frequency and security damage from these human errors.