Tackling the role human error plays in data breaches

Security on a computer screen
(Image credit: Pexels)

Cyberattacks today are an inevitable occurrence, rather than mere possibility. Near-daily comes news of another organization seeing their systems taken offline or their data being stolen as a result of a cyber intrusion. The nature of modern businesses means that cybersecurity lapses pose a very real threat to its ongoing survival – and something that every single employee in an organization has a role to play in preventing.

Thales’ 2024 Data Threat Report revealed human factors are still a major cause of cloud data breaches. Of the IT professionals that were surveyed, 22% stated that human error was the single most concerning threat. Furthermore, 74% placed threats from human error as a key priority. In the last three years, human error has ranked either first or second as the leading source of cyberattacks for enterprises.

With so many cyberattacks coming down to simple human error – and cybercriminals often capitalizing on the human propensity to make mistakes – how can businesses mitigate these people-related risks, and secure their IT infrastructure?

Chris Harris

EMEA Technical Associate Vice President of Data Security Products at Thales.

Remote work is an added cybersecurity frontline

Many cyberattacks can start innocuously enough. Phishing emails are one common way – tricking an unsuspecting employee who might have let their guard down into clicking a malicious link, or sharing compromising information such as passwords.

Passwords have had long running challenges from a security perspective – placing the burden on users, and relying largely on human memory, means the risk of people falling back on using the same memorable passwords across multiple accounts is high. While conventional advice recommends issuing long, complex passwords for professional use, the reality is that this doesn’t happen nearly enough.

Remote working has given many employees welcomed flexibility in how they get their jobs done – but at the same time, it does carry additional cybersecurity risks. Employees may be less likely to speak up and raise concerns in a remote environment, or from the familiar surroundings of home with their guard down, may be more likely to fall victim to a phishing scam. Flexible and hybrid work arrangements are the norm across many industries, but with so much variation of types of networks employees are using to access sensitive documents and data, the likelihood of exposing company data on insecure networks is increased.

The impact of data breaches

Whether it’s operationally or financial, the aftermath of successful data breaches can be devastating. Businesses can be ground to a complete halt, not to mention added losses through ransom payments and fines resulting from the breach.

There are also the longer-term impacts on reputation and customer loyalty, with the brand damage resulting from a successful breach often lasting a long time. Customers, suppliers, and partners may also see their stories covered in the media, multiplying the impact.

From awareness to prevention

Reducing the cyber impact from people-related risks is as much a cultural and behavioral change as it is a technological one. Business leaders need to get proactive about building an understanding amongst employees of the role they can – and must - play in protecting both themselves and the organization they work for.

At the same time, any policies that are set also need to account for how people in the organization actually work. If the rules are too strict, employees will look for insecure shortcuts to work around them. Whether it’s the use of personal devices, email accounts, or unauthorized memory storage devices, what the business has as a policy, and what employees end up doing can be very different – and that poses a huge risk.

The human element should be at the forefront of every cybersecurity plan. Employees should be consulted about their preferences when designing protocols, to ensure that there is full accessibility and understanding across all job roles and departments within the organization.

Finally, businesses can also make progress by auditing and changing how they’re authenticating their systems and data. By shifting away from passwords to biometrics, or other stronger and easier-to-use systems like passkeys, businesses can get away from relying on the human memory of their workforce – and the associated risks.

In a world of evolving threats, no business can ever realistically consider themselves ‘finished’ with cybersecurity. But by considering the above, leaders will be well on their way to mitigating one of the common ways organizations find themselves breached – and empower their employees in the process.

We feature the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Chris Harris is the EMEA Technical Associate Vice President of Data Security Products at Thales