The Impact of the Human Factor in IT Security

The Impact of the Human Factor in IT Security

For today’s businesses, cybersecurity is a mission-critical topic. This is even more so in light of a recent study which reported that a staggering 60% of small and mid-sized businesses end up shutting down within six months of a cyberattack. With odds like that — any type of cybersecurity failure is an existential threat. That is the reason why most organizations do everything they can to defend their computing infrastructure and keep attackers at bay.

However, a business network’s biggest vulnerability has nothing to do with its technology. According to the 2022 Verizon Data Breach Investigations Report, a full 82% of all data breaches stem from a human element. That means most hacks happen because a business user — either intentionally or inadvertently — enabled them. Therefore, if business organizations want to keep their data safe, their employees are where they should focus their attention.

For cyber attackers it is much easier to target the human factor. After all, finding and exploiting code vulnerabilities in software requires plenty of specialized skills. By contrast, it takes almost no skill — or effort — to send out thousands of phishing emails, then wait for a human to fall for one and divulge sensitive information.

Similarly, it’s much easier for an attacker to go looking for misconfigurations in software and storage settings to find a way into a protected system. The point is that human error is a major source of cybersecurity risk. Unfortunately, plenty of businesses have found that out the hard way. In this article we discuss some particularly egregious examples of this. We also provide some tips and strategies businesses can use to guard against this risk.

The Sony Pictures Entertainment Hack

Back in 2014, state-sponsored hackers from North Korea targeted Sony Pictures Entertainment with a novel phishing attack. Instead of trying to trick employees into divulging their work-related credentials, they instead sent emails purporting to be from Apple, Inc. The idea was to try and gain access to employees’ Apple ID credentials. Then, once they’d amassed a trove of those credentials, they simply tried those passwords with the users’ work-related accounts. It didn’t take long for them to find a user that had reused the same password on both their personal and business accounts. Once inside, the attackers took their time and stole over 100TB of confidential data from the company.

The Pentagon Email Hack

Even high-security organizations like the US Department of Defense can fall victim to human error-based cyberattacks. Back in 2015, the Pentagon disclosed a breach of its unclassified email system involving the credentials of more than 4,000 military and civilian personnel. The attack stemmed from a spear-phishing campaign that successfully tricked an employee into opening a malware-infected webpage. That introduced password-stealing malware into the Pentagon’s network, resulting in the breach. It’s the perfect example of how just getting a user to click on a link in an email can be enough to cause a major cybersecurity headache.

The Microsoft Customer Database Breach

In a sign that no company is immune from human error-related cybersecurity incidents, Microsoft announced in 2020 that they had inadvertently disclosed as many as 250 million customer records online. The culprit was a misconfigured database that lacked proper authentication protocols. As a result, anyone who stumbled upon the database would have had unfettered access to it. Although Microsoft addressed the problem the day they became aware of it, there’s no telling who accessed or copied the data.

Accounting for the Human Factor

As the examples above make clear, there are multiple ways that the human factor can affect a business’s cybersecurity. The good news is that there are methods to account for the human factor and guard against related attacks. Here are a few:

Use Hardware Security Keys and 2FA

Many of the attacks that exploit the human element revolve around stealing user credentials to gain access to protected systems. To neutralize such threats, businesses should turn to hardware security keys and two-factor authentication (2FA).

Hardware security keys are physical devices that serve as an encrypted authentication method in place of passwords. Using them accomplishes two things. The first thing is that they upgrade security by substituting lengthy, uncrackable encrypted strings for standard passwords. The second is that they make it impossible for employees to reuse passwords or accidentally divulge their credentials.

Also, for legacy systems that don’t work with hardware security keys, 2FA can serve as a suitable substitute. Although not impervious to hacks, 2FA offers decent protection against most garden-variety phishing attempts, making it well worth employing on every system that supports it.

Deploy Comprehensive Endpoint Security

As the example of the Pentagon email breach makes clear, something as benign as a link in an email can represent a major threat to a business network. However, because it’s impossible to be sure that no employee ever receives or clicks on such a link, the next best thing is to deploy endpoint security software on all PCs and devices accessing any business network.

The latest innovation in endpoint security is called extended detection and response (XDR). It serves as something of a cybersecurity safety net, looking for active and passive threats at the device level. In practice, this means it can react to block malware download and installation, redirect end users away from infected websites, and quarantine suspicious files, among other things. With such a solution in place, businesses gain a measure of protection against human-initiated cybersecurity threats.

Create a Data Storage Policy With Audit Procedures

Sometimes, the best defense against human error is to provide a checklist for employees to follow and a second pair of eyes to double-check that it’s followed to the letter. When it comes to data storage and security, that’s a very effective tactic.

The best place to start is to create and document minimum security standards for data storage, a step-by-step configuration checklist for storage systems, and a clear audit procedure to catch and correct any configuration mistakes. That way, small configuration oversights won’t turn into massive vulnerabilities.

On top of that, it’s a good idea to define data collection and retention policies, with an eye toward eliminating any sensitive data the business doesn’t need. After all, the less data there is to protect, the better the odds the business will be able to protect it.

Turn a Weakness Into a Strength

Although the three tips listed above will help to minimize the human factor as a cybersecurity weakness, there’s no way to completely eliminate it. Therefore, in addition to those tactics, it’s a good idea to invest in cybersecurity awareness training for employees. This type of training can empower them to serve as an additional layer of defense — or at least make them less of an attack vector for bad actors to exploit.

Of course, it’s also a good idea to partner with a firm that knows how to handle business IT security. The team of experts here at Outsource IT have years of experience in the cybersecurity field. Additionally, we excel at helping businesses improve their cybersecurity posture and defend themselves from attacks. To learn more, contact an Outsource IT account manager today for an IT security assessment, and we’ll help your organization develop a top-to-bottom cybersecurity plan to thwart the best-laid plans of any bad actors — internal or otherwise.

Click here to contact Outsource IT