Human factor behind cyberattacks – Root cause analysis

Nearly 95 percent of all security incidents involve human error. According to Verizon’s Data Breach Investigations Report 2013, up to 95 percent of advanced cyberattacks involved spear-phishing tactics with emails containing malicious attachments that could potentially download malware onto the user’s computing device”. This gives attackers an entry point into the organization from which they can move laterally, searching for valuable information, such as intellectual property.

The IT Policy Compliance Group says that 75% of ALL data is lost due to human error. The Aberdeen Group marks this figure at 64%. CompTIA says that 52% of security breaches resulted from human error, and most recently, Databarracks said employee accident was the top cause of data loss (24%).

According to a recent study in the UK by the Security vendor Eset, as many as 22,000 USB sticks were left with the dirty clothes and handed over to the UK dry cleaners every year, with nearly half of those never returned.” Not just this, around 973 mobile phones were left inattentively with the laundry and handed over to the cleaners, the study found.

According to the PWC Information Security breaches Survey in 2015, 50% of the worst breaches in the year were caused by inadvertent human error, up from 31% a year ago. 75% of large organizations and 31% of small organizations suffered staff-related security breaches in the last year compared to 58% and 22%, respectively, a year ago. 72% of companies where the security policy was not clearly understood had staff-related data breaches. 28% of the worst security breaches were caused by senior management not giving sufficient priority to security.

Root causes of data breaches

A recent study by the Ponemon institute identifies the following activities as the most common risky causes of data and network breaches:

  1. Using an insecure network for connecting computers to the internet.
  2. Not deleting information that is no longer necessary from the computers.
  3. Sharing passwords with other employees.
  4. Reusing the same login credentials on different websites.
  5. Using Unencrypted USB drives.
  6. Leaving computers unlocked when not around.
  7. Losing a USB drive with confidential data and not reporting it to the organization immediately.
  8. Working on a laptop while traveling and not using a privacy screen.
  9. Carrying confidential information on a laptop unnecessarily while traveling.
  10. Connecting personal mobile phone to the organization’s network.

People-related issues in security

Here is a list of issues related to people that directly impact their organizations’ safety:

  • A relaxed culture where the reliability of the system is not taken seriously.
  • Lack of understanding and awareness of implications of compromises in security.
  • Lack of training to admin staff so they can understand the functions and risk implications.
  • Lack of training about management to be aware of the value of security and cost of being exposed to risks to their businesses.
  • Shortage of suitably trained, skilled, and technical staff to manage the operations of the system.
  • An environment where there is less emphasis on teamwork.
  • Cultural differences in multicultural environments where crashes among cultures may also result in teams’ inability to work together towards shared outcomes.

The Ponemon report clearly states that Employee negligence or maliciousness is the root cause of many data breaches. Over 78 percent of respondents reported that negligent or malicious employees or other insiders within their organizations were responsible for at least one data breach over the past two years. Additionally, 43 percent and 24 percent of respondents report that their organization’s sensitive or confidential business information is protected partially and fully respectively by data protection technologies such as encryption and data loss prevention (DLP).

Employees’ loss of laptops or other mobile devices, third-party mishaps or flubs, and system glitches are the top three root causes of these breaches. Employees’ lack of attention towards data protection and increased sensitive data on mobile devices puts sensitive and confidential information at risk. For example, employees frequently (37 percent) or very frequently (19 percent) store sensitive data on laptops, smartphones, tablets, and other mobile devices.

Common mistakes employees make

In an article published in June 2015, Trend Micro presents some common mistakes employees make:

  • Lax email habits – careless opening of suspicious emails containing malware frequently leads to downloading malicious files or landing on websites that cybercriminals use for phishing information that they can use.
  • Weak passwords –short, weak, and sometimes exposed passwords are commonly exploited by hackers and are among the easiest ways to hack into a system. In addition, some employees often share their passwords with others.
  • Falling for social engineering tactics without prior knowledge or training about such techniques, it could be difficult to avoid social engineering traps like social media scams, malware, and spam that ride on the popularity of big news and events, or others.
  • Poor backup practices – employees often fail to back up data, increasing the downtime and losses incurred when an organization is attacked.
  • Poor security habits outside work – employee devices are inherently insecure, unlike company-owned devices. As a result, they often have potential vulnerabilities—either on the device or the operating system level that can be exploited.
  • Connecting to unsecured Wi-Fi networks – employees connect to open or public Wi-Fi networks that can allow attackers to capture traffic from an open access point and launch attacks such as man-in-the-middle (MITM) attacks.