Human error is involved in as many as 13 percent of data breaches. How do you protect yourself from such threats? We have gathered five pieces of advice.
To error is human, as the saying goes. This also applies, to a large extent, to IT security. In this instance, human error is a frequent culprit when a company is affected by data security breaches.
The human element is involved in a staggering 82 percent of breaches. Whether it is the use of stolen credentials, phishing, misuse or simply an error, people play a very large role in security incidents and data breaches alike. According to Verizon’s Data Breach Investigations Report 2022 human error continues to be a dominant trend and is responsible for 13 percent of breaches.
This should be a concern to most organizations – and the fallibility of employees should not be discounted.
Human error has wide repercussions under the GDPR
Human error covers several actions – e.g., bad password habits, clicking on phishing links or sending information to the wrong recipient. These are all widespread problems, and they all constitute risks that pose a challenge to any organization’s data security.
A parameter that has only become increasingly more important since the EU Data Protection Regulation came into force in May 2018, lacking data storage security may now even result in substantial fines.
As an organization, you can take the right technical measures and implement and streamline the right processes, but you rarely get very far if the employees are not involved and do not understand how their actions collectively contribute to the organization’s GDPR compliance.
Even when outsiders attack an organization, their success is most often due to the fact that they can exploit internal structures and weaknesses that should have been previously addressed.
5 tips to prevent human error
This is why it is crucial to take measures with respect to human error. Errors are going to happen, and when they do, it is simply better to be prepared. However, what is the most important step you can take to safeguard your organization? We have gathered five pieces of advice.
- Train your staff
Many errors are avoidable – with the proper training. Make sure that the organization’s employees are aware of any security threats. Threats are constantly evolving, so make sure to keep the organization updated accordingly. Don’t forget to teach the staff about applicable laws and regulations that are relevant to data security and workflows.
- Create a security-centric culture
Make sure to communicate any security policies throughout the organization so that the employees are aware of their existence and applicability (and of what may happen in case of non-compliance). A good security culture is created by establishing proper habits and workflows among employees – and not least by promoting a working environment that tolerates errors. In this way, you can, to a much greater extent, trust that the employees will report any errors, so that they can be rectified immediately.
- Implement access control
Good security begins with solid access control. If employees have copies of each other’s rights, or if many simply have access to too much data, there is great room for improvement. It is crucial to implement an access policy based on a need-to-have access principle. This means that only those employees who explicitly need access to sensitive information are granted such access. This kind of access control often makes the difference between a solid security level and a data leak.
- Be aware of internal threats
Most security breaches are committed by criminals and hackers. No doubt about it. However, this does not mean that your organization can afford to underestimate threats posed by insiders. This may include malicious employees who exploit their position, e.g., with a view to scamming the company, but, to a large extent, the threat may also be posed by employees who make mistakes unknowingly and are not aware of the security policies in place. This is precisely why access control and policy awareness are so crucial.
- Grant as few privileges as possible
This is closely tied to advice number 3: Keep track of those with privileged access. Once hackers have gained a foothold in a system, their first goal will often be to gain privileged rights at a level equivalent to the system administrator. Therefore, it is a good idea to limit the number of users who have privileged rights in the systems. In addition to making life more difficult for potential hackers, it will also be significantly easier to get an overview of who in the organization has access to what.
Implement Zero Trust into your Identity and Access Management Strategy
The above measures create a good foundation for protecting the organization from human error. To take your security efforts to the next level a Zero Trust security model is the best choice.
The Zero Trust model always verifies, it never trusts and treats all requests within the organization’s network as if it came from an untrusted source. This way all users are continuously authenticated, authorized, and validated before gaining access to data or applications.
Even though the Zero Trust model includes several factors the common denominator is the user. The underlying principle is to control who has access to which systems and data and have well-defined policies to define when to allow or restrict access, and how to enforce it.
That is why Zero Trust should be a central part of any organization’s Identity and Access Management strategy.
SIVIS Group
