June 03, 2022//Isa Jones
Human error: It’s an everyday occurrence and happens to everyone at some point or another. Unfortunately, when it comes to cybersecurity, human errors, and the human element broadly, can have costly consequences.
According to the 2022 Data Breach Investigation Report by Verizon, human error is still a prominent factor when it comes to breaches. 82% of breaches involved the human element, meaning a breach came down to successful phishing, a misuse of credentials, the ability of a hacker to steal credentials, or just human error within a system. Additionally, 18% of data breaches came from employee error.
While external attacks are still the most common (and only trending upward), the internal user is often playing a role in the data breach, whether they mean to or not.
As automated as the world is becoming, humans still log into systems, access assets, and review data every single day. In healthcare, the number of accesses into PHI can top the millions. That’s a lot of humans with a lot of room for error — and bad actors are all too eager to take advantage of that.
Social engineering attacks, or an attack where a bad actor manipulates a user to give them access (or credentials) may be seen as an old-school way of hacking into a system, but it’s still widely effective and widely employed. According to the data breach report, phishing is still the number one form of social engineering because simply, it’s effective. The success rate has remained steady over the years (at about 2.9%), which may seem small until you add it up — send enough emails and you’ll find a few open doors and compromised credentials.
However, the human element extends beyond simple phishing, from insider threats — like the termination gap and access creep — to improper access management to, as the report noted, errors in misconfigured storage.
The data is clear: While machines and digitization may be on the rise, it’s the humans that are still at the wheel, and they need to drive with caution.
1. Conduct regular access reviews
User access reviews prevent internal user issues such as access creep, snooping, and the termination gap. In addition, by ensuring no user has more access than is absolutely necessary, it limits the attack surface in case they fall for a phishing attack or their credentials are stolen.
2. Conduct regular employee training on social engineering
Protection begins with knowledge. Continuous training for employees on the myriad of evolving ways attackers may target them is a crucial part of good cybersecurity hygiene. The more they know, the more likely they are to report a phishing email instead of opening it.
3. Invest in privileged access management as well as third-party access management
Hackers are after what’s most valuable to your organization, because that’s where the money is. It’s not at the front in the cash register, it’s in the back behind the giant safe door. So, protect the safe. By investing in PAM software as well as third-party access management, an organization is investing in strong access management that mitigates major threats. Protect credentials with an automated credential vault. Prevent access creep by monitoring and auditing access. All of that is possible with streamlined software.