All humans make mistakes. Some bigger than others, but I doubt anyone could argue the statement that “To err is human”.
One of the most intriguing findings from IBM’s “Cyber Security Intelligence Index” is that 95 percent of all security incidents involve human error. Many of these are successful security attacks from external attackers who prey on human beings and their weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information.
These mistakes are costly since they involve privileged insiders who often have access to the most sensitive information. The greatest impacts of successful security attacks involving insiders are exposure of sensitive data, theft of intellectual property and the introduction of malware. Most information technology security threats that directly result from insiders are the result of innocent mistakes rather than malicious abuse of privileges.
Successful Security Attacks Exploit Human Interest Factor
The human interest factor is being exploited by attackers and plays a large part in successful security attacks seen today, but it is not always attributed to mistakes made by insiders. Many of these attacks involve social engineering techniques to lure individually targeted users into making mistakes. According to Verizon’s “2013 Data Broach Investigations Report,” 95 percent of advanced and targeted attacks involved spear-phishing scams with emails containing malicious attachments that can cause malware to be downloaded onto the user’s computing device. This gives attackers a foothold into the organization from which they can move laterally in search of valuable information, such as intellectual property.
Today, legitimate websites are increasingly being hacked since they are just the sort of websites that users would routinely trust. However, compromised websites are also being used in attacks that target the interests of specific users or groups. There has also been a particular increase in so-called watering hole attacks, so named because they mimic the tactics of animals lying and waiting for their prey at the watering holes they are likely to visit.
Technology Alone Is Not a Panacea
It is often said that any successful organization must focus on people, processes and technology in equal order. Technology provides automated safeguards and processes to determine the series of actions to be taken to achieve a particular end. But even organizations with strong security practices are still vulnerable to human error. Oftentimes, there is insufficient attention paid to the “people” part of the equation. To stem errors made through social engineering and to raise awareness of the potential caused by carelessness, technology and processes must be combined with employee education. This way, employees are aware of the threats they face and the part they are expected to play in guarding against them. Keeping organizations safe relies on constantly educating employees about identifying suspicious communications and new possible risks.