Human error makes up for 74% of all data breaches according to Verizon’s Data Breach Investigation Report of 2023. This makes it the biggest risk to corporate security, as well as one of the most difficult to target. Everyone makes mistakes, and it’s tricky for security measures to account for this.

In this article, Titan Security Europe discusses the risk of human error and explores the benefits of implementing security convergence in efforts to combat it.

Cyber security & human error

In cybersecurity, human error is defined as unintentional action (or inaction) by a person that results in unsafe outcomes such as data breaches. There are two key types of human error:

• Skill-based errors: In which errors occur as a result of temporary lapse. The employee knows the correct procedure for the task they are carrying out, but as a result of tiredness, inattention or distraction, they make a seemingly small error that can have a huge impact.
• Decision-based errors: In which an employee makes an active decision that leads to breach or risk but does not do so with malice. Usually, this is as a result of lack of knowledge or training. Inaction also counts as a decision-based error; such as ignoring a security alert and continuing with a task regardless.

Human error can take forms such as:

• Employee Negligence: Employee negligence takes up around 42% of all human error-based cyber threats. Negligence includes devices left unattended and data mishandling. Such negligence is rarely malicious but can lead to data falling easily into the wrong hands, which can cause major breaches.
• Security Vulnerabilities: Small and seemingly insignificant factors such as weak passwords, leaving accounts and devices unlocked and leaving credentials out in the open can lead to hacking, stolen credentials and stolen data.

Such errors can lead to:

• Phishing Scams: Phishing scams are the most common cyber attack against businesses. Phishing scams see fraudsters contacting employees claiming to be a partner, client or fellow employee requesting sensitive data to be sent to them. In most cases, falling for these attacks comes down to human error.
• Lost/Stolen Devices: Taking up 28% of human error based cyber threats, devices that contain employee credentials, sensitive data and more can become lost through negligence, or can become stolen easily if a remote worker or a commuter carrying their work device becomes distracted.
• Stolen Employee Credentials: Accounting for 33% of all data breaches based in human error, employee credentials can be stolen if record of them is left out where anyone could find them, or even if remote workers work on a public network, leaving them susceptible to hackers. Stolen credentials allow non-employees to gain access to systems and data without being caught out.

Importance of security convergence

Little can be done to entirely prevent human error. However, steps can be taken to minimise the chance of human error occurring, and to prevent the fallout if an error does occur.

This is where security convergence comes in. Security convergence is the process in which physical security measures are used alongside cyber security measures to create a security system with less room for failure.

Physical and cyber security measures work together to cover each other’s blind spots. While cyber security works to protect data stored in the cloud in ways physical security cannot achieve, physical security measures act to cover human error – and do not rely on electricity, internet connection or other digital means that could fail.

Security convergence, in short, ensures that a business is covered on all grounds, at all times.

Security convergence in action

If implemented correctly, security convergence minimises the risk and fallout of human error, protecting businesses from careless and costly mistakes.

Below are some examples of security convergence in action.

Human Error: Phishing Scams.

The Cyber Side: Multi-Factor authentication should be put in place for email authorisation. Emails coming through to employees should be screened, with only recognised identities being able to contact employees of a company.

The Physical Side: Employers should hold regular training sessions for employees on how to spot and prevent phishing scams. Employees should be told to send any suspicious requests on to superiors for checks. Employees should also ask for authentication – be it a password or proof of credentials – before sending sensitive data at the request of someone else.

Human Error: Employee Negligence.

The Cyber Side: Devices should lock when idle for longer than a couple of minutes and require password entry to unlock. Data encryption should be in place on all sensitive data. Employees would have to enter a specific code in order to unscramble and use the data. Passwords should be secure and changed often.

The Physical Side: CCTV should be in operation and consistently monitored throughout the building to allow intervention to occur should someone be found handling a device that is not their own. Security guards should also be in place in the main reception of an office, checking identifications of everyone who enters and preventing entry to any unauthorised persons.

Human Error: Stolen Credentials.

The Cyber Side: MFA ensures that credentials alone are not enough to access an account, system or data. Even if someone gets hold of an employee’s credentials, they would not be able to access data without having access to the employee’s phone to receive a code, or without having the employee’s biometrics.

The Physical Side: Enforce zero-trust policies and forced password resets monthly. Run security awareness programs to alert employees to the dangers of leaving credentials out for anyone to find – employees should be discouraged from writing credentials down in notebooks or on paper, and even if they do, these should not be left out on desks or in public spaces.

Human Error: Lost/Stolen Devices.

The Cyber Side: Data held on corporate devices should be protected by firewalls, passwords and data encryption. Failsafes should be in place that cause the device to be wiped entirely if the wrong passwords are entered a certain number of times.

The Physical Side: For in-office work, devices should be used at work and at work alone. When not in the office, employees should hand their devices into security personnel, who will only distribute devices to their registered employee. For remote workers, employees should be provided with separate laptops and phones for work purposes, to prevent important data being mixed in with their personal device.

Conclusion

The unavoidability and unpredictability of human error are what makes it such a huge risk to corporate security. No amount of cyber protocol alone can fully prevent a distracted mis click or a careless loss.

Security convergence minimises the chance of human error leading to a costly loss. The introduction of physical alongside cyber systems covers blindspots, allows for intervention, and offers a final line of defence that cyber security alone struggles to provide.

Read more:
Security Convergence and The Human Error