We can take all the precautions and preventive measures possible to minimize the risk of cybercrime impacting ourselves or our businesses. But at the end of the day, all it takes is simple human error to put everything in jeopardy. Whether it’s a link click, download, missed update, or misconfiguration, everyday mistakes can lead to big problems.
Individuals and businesses alike have suffered huge losses due to cybersecurity incidents including data breaches, ransomware attacks, system disruption, and more. And a surprisingly large number of these incidents could have been avoided had it not been for human error.
In this post, we examine the impact that people’s mistakes have on cybersecurity. We also provide some handy tips for trying to minimize the impact of human error on your individual cybersecurity as well as businesses’ bottom line.
Human error in cybersecurity
We’ve compiled the most interesting statistics, facts, and trends from recent studies to paint a picture of how human error is impacting the world of cybersecurity.
1. Almost half of US workers trust public wifi hotspots
Public wifi hotspots are notoriously unsecure. Hackers prey on unsuspecting users to steal information such as passwords, financial details, and other personal information. Really, no one should be connecting to a public network without connecting to a suitable VPN for public wifi first (to encrypt your internet traffic and keep it hidden from snoopers).
Even so, according to the Proofpoint 2020 User Risk Report, 45 percent of workers in the US believe that public wifi is safe when they are in a trusted location. Globally, we’re a bit more savvy, with 26 users worldwide trusting public hotspots.
2. 14 percent of workers in the UK don’t lock their smartphones
The Proofpoint report also found that more than one in 10 UK workers never lock their smartphones. This is in spite of the fact that 41 percent of workers admit to using their smartphone for both work and personal activities.
Globally, 42 percent of respondents use a biometric lock (for example, a fingerprint scan) and 24 percent use a four-digit PIN to unlock their device, but 10 percent have no lock on their device at all.
3. Half of workers share access to an employee-issued device with family and friends.
Proofpoint worryingly found that 50 percent of respondents admitted to allowing family or friends to use their work-issued device. While the motives behind this may be harmless (the most common reason is to check email), you just never know what someone might mistakenly click on.
4. Human error is a major cause of data breaches
What do Equifax, Capital One, and New Zealand’s gun buyback scheme have in common? They were all impacted by data breaches caused primarily by human error. According to testimony, the Equifax breach could have been avoided had an employee heeded security warnings and implemented the necessary software fixes.
But these are not anomalous cases. The UK Information Commissioner’s Office (ICO) tells us the vast majority (90 percent) of UK cyber data breaches in 2019 were caused by human error.
And Kaspersky’s IT security economics in 2019 report tells us that “inappropriate IT resource use by employees” is the most common cause of a data breach, with 50 percent of SMBs reporting these types of incidents.
Other factors related to human error played a significant role too, including the loss of company-owned devices or media (42 percent), loss of company-owned mobile devices (42 percent), and loss of BYOD devices (41 percent).
5. Misdelivery and misconfiguration are among the top causes of data breaches
Verizon’s 2020 Data Breach Investigations Report further sheds light on the matter and analyzes the causes of data breaches in a slightly different manner. It found that phishing is the top threat action variety in breaches, playing a role in more than 20 percent of cases. Other human errors (misdelivery and misconfiguration) were in the fourth and fifth spots respectively, each representing the top threat action in around 10 percent of breaches.
In addition, the report found that some of the top malware vectors in data breaches are human error related. Email links, download by malware, and email attachments held the first, third, and fourth spots respectively.
When it comes to the high-level actions that cause data breaches, error is the only one that continues to increase in frequency.
The top error varieties are misconfiguration, misdelivery, and publishing errors.
As Verizon points out:
…there is no getting away from the fact that people can, and frequently do, make mistakes and many of them probably work for you.
6. 58% of organizations report that employees ignore cybersecurity guidelines
One of the most alarming (but perhaps not all that surprising) findings of Netwrix 2020 Cyber Threats Report was that more than half of respondents said that employees ignored policies and guidelines surrounding cybersecurity.
It appears employees are simply modeling their executives though, as 85 percent of CISOs admitted to loosening cybersecurity measures so that employees could work remotely.
7. The pandemic appears to have had an impact on human error concerns
An interesting comparison in the Netwrix 2020 report shows figures for how critical threats were considered pre- and mid-pandemic. A huge increase was observed in “accidental and improper sharing of data by employees.” Pre-pandemic, 58 percent of organizations considered this a critical threat, but now that figure is 92 percent.
At the same time, other human error concerns have been alleviated to some extent. For example, critical concerns around “misconfiguration of cloud services” dropped from 71 percent to 44 percent, and “accidental changes and other mistakes by admins” saw a similar decline.
8. Most people are guilty of using weak passwords
A 2019 Google/Harris Poll study found that a whopping 59 percent of users include their birthdate in their password. Plenty of others use other easily discoverable information such as the name of their spouse, children, or pet.
What’s more, the most popular passwords are incredibly easy to guess. According to an OWASP SecLists project GitHub page, the top choices are 123456, Password, 12345678, qwerty, and 123456789.
This is particularly concerning given that in its 2020 Data Breach Investigations Report, Verizon found that of 868 hacking-related breaches, 80 percent involved passwords. Hackers either used lost or stolen credentials or brute force attacks (to guess passwords).
9. Password reuse is extremely common
With so many online accounts to deal with (HYPR says many of us manage more than 30 each), remembering all these passwords can be tough. As such, it’s no surprise that people tend to reuse passwords on multiple accounts. However, this can be a risky practice. If a set of credentials is compromised, for example, in a data breach, cybercriminals can use a tactic called credential stuffing to use that username and password combination to hack into other accounts.
There are lots of numbers floating around about the prevalence of password reuse, but the fact of the matter is that it’s far more common than it should be. Here is some data that shines a light on this issue which affects both personal and work accounts:
- The Google/Harris Poll study found that 66 percent of users reuse passwords across accounts.
- Microsoft found that 44 million users were reusing passwords across accounts.
- Another Google survey discovered 13 percent of users utilized the same password for every account and an additional 52 percent used the same password on multiple accounts.
- 72 percent of respondents to the HYPR survey admitted to reusing passwords.
- LastPass discovered employees were happily reusing passwords on 13 different accounts.
- According to the Ponemon Institute’s The 2020 State of Password and Authentication Security Behaviors Report, IT professionals are the worst offenders, with 50 percent reusing passwords compared to 39 percent of other employees.
10. Password sharing is common too
The Google/Harris Poll survey found that a whopping 43 percent of users have shared their password with someone at some point, including 20 percent of people who have divulged credentials for their email account and 17 percent for online shopping accounts.
The Ponemon report adds more intrigue to these results as it splits up data from IT specialists and other individuals. It found that 49 percent of IT professionals admitted to sharing passwords with their colleagues. This is almost the same figure as for other employees (51 percent).
11. Only 45 percent would change their password after a breach
You would think that after being notified of a data breach, it’s common sense to change your password on any account that uses that set of credentials. But not so. Google found that only 45 percent said they would change their password after being notified of a data breach.
A concerning statistic in the Ponemon Institute survey was that only 65 percent of IT specialists would change their account protection methods after an account takeover. While this represents a majority, you would hope that the percentage would be greater. Indeed, the number for other individuals was quite a bit higher at 75 percent.
12. Almost half of organizations use sticky notes to help manage passwords
Ever walked into an office and observed a computer monitor surrounded by sticky notes bearing various passwords? It’s not an uncommon sight. Indeed, according to the Ponemon Institute, 42 percent of organizations rely on this practice to ensure employees can log into various accounts.
13. Human error is a key factor in data loss
Organizations are quick to blame malicious actors for their cybersecurity woes, but the reality is often very different. The Netwrix 2018 IT Risks Reports report compares expected and actual numbers for various types of cybersecurity incidents and some of the results were interesting.
For example, while organizations expected human error to account for 39 percent of data loss, in reality, 50 percent of data loss incidents were due to people’s mistakes.
Human error was found to play a significant role in other issues, including intellectual property theft (22 percent), system disruption (43 percent), and physical damage (32 percent). As for the latter, Netwrix notes that:
Organizations list hackers as the top threat to their hardware assets, but most physical damage is actually the result of mistakes, negligence or bad luck — you’re more likely to suffer physical damage from a business user spilling coffee on a computer than from an attack by a hacker.
When it comes to data breaches, Netwrix attributed 29 percent to human error, but a further 26 percent to phishing attacks and 23 percent to password sharing, both of which could also be considered human error.
14. Human intelligence is the best weapon against phishing attacks
Some would argue that phishing attacks don’t fall under the category of human error, but the fact remains that phishing relies on user action (prompted by social engineering).
In its 2019 Annual Phishing Report, Cofense underscored the vital role of awareness training in preventing successful phishing attacks.
When perimeter technology fails, people must step up. Given the right conditioning, they will. They’ll unite to become a “Human Intrusion Detection System,” a set of sensors intuiting threats your controls miss. It’s human intelligence, not the artificial variety.
One example cited was that of a phishing scheme that targeted a major healthcare organization. While the phishing campaign was extremely sophisticated and bypassed controls, thanks to swift employee reporting, the attack was stopped in under 20 minutes.
15. The most-clicked phishing lures are related to “brain food”
A section in the Proofpoint Human Factor 2019 Report tells us about the types of content phishing victims are most likely to click. The most clicked lure in 2018 was by far “brain food.” This refers to a botnet responsible for distributing spam related to mental enhancement and diet. It often sends users to phishing sites that harvest credit card data.
Brain food lures had an average click rate of 1.6 per message. A high click rate above one indicates that messages are shared and receive multiple click-throughs.
Other types of lures that get people clicking include Blackboard (which collects login information for school management platforms), We Transfer (a file-sharing tool), and Zoominfo (a contact information database).
16. $1 billion is spent on cyber security awareness training each year
Although it may be underestimated, the issue of human error in cybersecurity has not gone unnoticed. Businesses across the globe are ramping up efforts to improve employee knowledge to help prevent mistakes. The global market for cybersecurity awareness training topped $1 billion last year and shows no sign of slowing down, with a growth rate of roughly 13 percent per year.
Data from 2020 Netwrix IT Trends Report: Reshaped Reality supports these spending figures, finding that one of the most important IT projects across organizations involves raising employee cybersecurity awareness. It was named a priority by more than half (52 percent) of organizations. What’s more, the percentage of mid-size organizations planning to invest in security awareness more than double compared to last year, increasing from 33 percent to 67 percent.
What can be done to mitigate the risk of human error?
As we can see, human error is a huge liability. That said, there are measures you can take to minimize the impact that people’s mistakes have on your organization’s cybersecurity. Below are some avenues to consider. Note that while these focus on a business environment, many of these measures can be applied at home too.
1. Have more controls in place
There are a ton of ways to implement controls in your organization to help boost cybersecurity. For example, using the principle of least privilege, you can limit the data and functionality that each employee has access to. This lowers the chance that information will be lost or fall into the wrong hands.
Access control can also be used to mitigate the risks of errors such as misdelivery or misconfiguration. For instance, requiring an extra set of eyes on certain tasks means that more than one person would have to make the same error for it to go unnoticed.
2. Improved password practices
Password practices can be improved with controls too. For example, you can force regular password changes and stipulate that passwords abide by a set of rules pertaining to length and composition. You may find our password strength checker and strong password generator tool helpful for this.
In a similar vein, you can mandate or encourage the use of a password manager for all work-related accounts. You can also set up platforms to require 2FA or 2SV. This means that even if weak passwords are being used or people are sharing passwords, there is another layer of protection in place.
Another way to make life easier for employees is to implement a Single Sign-On (SSO) system where one password is used to access multiple accounts.
3. Utilize cybersecurity awareness training
As mentioned, phishing attacks require human misaction to be successful. But it’s also human action that can nip these attacks in the bud. A major deciding factor in which way things will go is simple: knowledge. Most cybersecurity awareness training programs focus on teaching employees how to spot, avoid, and report phishing attacks, so your organization can be ready when the inevitable attacks hit.
Training programs also help with other areas involving human error including password management, spotting malware, data handling, and physical security.
4. Filter incoming emails
Of course, it’s easier for employees to avoid phishing attacks if there are fewer opportunities for them to slip up. One simple way to limit the risk of phishing emails is to flag messages from outside the company. You can even remove links from external emails and sandbox attachments to confirm they are safe.
5. Ensure devices are locked
Whether employees are using company-issued devices or you have a Bring Your Own Device (BYOD) policy, you can stipulate rules to abide by. For example, a simple measure is to require that all devices are locked with a PIN, passphrase, biometric lock, or similar.
6. Encourage the use of other security apps
You can also require the use of a VPN, in particular when connecting to public wifi hotspots. This will ensure that all internet traffic is encrypted and unreadable if intercepted. You may even want to mandate or encourage the use of apps that can help find lost or stolen devices (such as the Google Find My Device tool or Apple Find My app) and remotely wipe devices.
7. Use mobile device management platforms
You might want to go a step further and utilize Mobile Device Management (MDM) or Mobile Application Management (MAM) platforms. These tools can perform a variety of tasks, including forcing data encryption, running malware scans, wiping data, and tracking devices.
8. Create an environment that helps prevent human error
We all know how environmental factors can affect our concentration and focus. And it’s not a stretch to say that our surroundings can have an impact on the number of mistakes we make. Ensuring staff are working in an organized and relatively quiet environment that’s not too hot, cold, or humid could go a long way in helping reduce errors.
Other factors to consider include tiredness (perhaps due to long shifts), excess workload, privacy, and even posture.
9. Improve the culture around cybersecurity
It’s all too easy to have a lackadaisical attitude toward cybersecurity… until it’s too late. If your organization has a purely reactive approach to information security, there needs to be a culture shift. Taking some of the above steps can certainly help. In addition, you can implement initiatives to remind workers about security actions and policies, for example, via posters or emails.
You should also encourage discussion around cybersecurity and ensure that employees know where to direct any questions they may have. Bear in mind that culture changes often trickle down from the top, so higher-level employees, in particular those in the IT department, need to set a good example.