According to the Ponemon Institute’s recently published report, Cost of a Data Breach, human error was the main contributing factor to 24% of data breaches in the last year, ranking it amongst the top three causes sitting just behind technical glitches and criminal attacks.
The report’s findings highlight the importance of implementing an Information Security Awareness program to educate employees about risks and train them on how to protect data within their organization.
Another study, the Verizon 2019 Data Breach Investigation Report (DBIR), reports that the primary threat action in almost one third of data breaches (32%) is Phishing. This fact reinforces the important role played by phishing simulation tests and exercises as a part of any successful Information Security awareness plan.
Lack of IS awareness: root cause of cybersecurity breaches
According to the Ponemon Institute, the global average cost of a data breach in 2019 is $3.92 million, a 1.5 percent increase on the previous year.
The nature of a human error can vary but some of the common scenarios are that employees share their passwords or login details, send confidential information to the wrong recipients or fall into social engineering techniques.
Regarding social engineering techniques and according to the Verizon 2019 Data Breach Investigations Report (DBIR), the primary threat action in almost a third of the data breaches (32%) is Phishing. This threat is closely followed by Stolen Credentials which in turn are driven by email phishing campaigns designed to capitalize on unwitting individuals falsely identifying phishing efforts legitimate communications.
What the above serves to highlight is how significant the margins for human error are within any enterprise and how simple mistakes can lead to security incidents that have a catastrophic business impact through the massive loss of data, business disruption, reputational damage and eventually loss of customers.
Top breaches caused by a lack of employee awareness
A high profile breach caused by human error was reported by the Department of Human Services (DHS) in Oregon informed in June of this year. They confirmed that subsequent to a phishing attack in January 2019personal information of 645,000 Oregonians were left exposed. This included sensitive personal information such as names, social security numbers (SSNs) and protected health information (PHI) and many more. The breach occurred due to DHS employees falling for a phishing email that granted attacker access to their email inbox for a period of 20 days until a password reset was initiated. Fortunately, subsequent investigations confirmed that no malware was introduced into the network during that time.
In the same month, the city of Riviera Beach, Florida was the victim of a ransomware attack aimed at taking advantage of human error. The incident occurred after an employee clicked on a malicious link in an email that allowed hackers access into the city’s systems wherein they uploaded malware to hold the city to ransom. Three weeks after the attack, the city voted to pay $600,000 as ransom in order to retrieve its data.
How to build a customized Information Security Awareness program
An Information Security Awareness Program is the best way to warn your employees and contractors about risks and educate them as to how they can help protect the organization’s data. Whilst seemingly quite a simple solution, Security Awareness Programmes are the best defense against the emerging threat of social engineering attacks.
A key consideration is to ensure that the awareness training is sufficiently adapted both to a company’s unique culture and risk profile. On a similar note, training for people with specific functions should also be adapted so that employees are aware of their own unique responsibilities as they relate to protecting company data.
Topics such as data management, incident reporting process, BYOD policies, passwords, physical security, clean desk policies and risks of using public wifi, are typically common elements within any information security training program. In addition to these, however, one extremely useful way of educating employees is through phishing simulations. Such efforts ensure staff is trained to detect, prevent and report social engineering attacks or any other type of security event.
Finally, a critical factor for an effective Information Security awareness plan is to conduct regular training wherein employee commitment and awareness are both measured and tested. Adopting such an approach will go a long way in protecting your business from human error-driven social engineering attacks.
At CyberVadis, we offer a scalable solution to assess cybersecurity performance within the supply chain. One of the main topics included in our assessment is awareness and training. In that sense, we assess whether companies have information security and data privacy awareness plan, if this is tailored based on job needs, conducted periodically and measured for employees’ commitment.