In Part One of our mini series of Humans and Cybersecurity, we considered How and Why Humans Became Part of the Cybersecurity Problem.
In Part Two, we will be considering the human element and accidental security incidents
Insurance company Policy Expert looked at the number of items lost on public transport in London and what they found was quite shocking. In 2016, travellers on London transport lost 34,322 mobile phones and 1078 laptops, there were even 10 desktop computers handed into lost and found at TFL. All of these devices contained someone’s data, perhaps even company sensitive information.
Accidents happen, but they also cost businesses, big time. According to a 2018 study by Shred-IT, almost half of the businesses surveyed said that employee negligence was the biggest security risk to their business. This seems an under-estimation, as according to IBM, 95% of security incidents can be traced to human-error at some point in the threat lifecycle.
The latest IBM/Ponemon study into the financial implications of accidentally exposed data shows that in the UK, a single lost record costs $127 (approx. £100) to rectify. Multiply that by the 1000s of data records normally lost in a data breach and the amount soon adds up. The same Ponemon study also found that, in the UK, 26% of data breaches were caused by human error.
In part one of this mini-series, we looked at how human behaviour and cybersecurity have become intrinsically linked; hackers manipulating human traits to gain access to your most sensitive of information and IT resources. Accidental data breaches and cybersecurity issues are the other side of that same coin. In this article, which we will explore how accidents happen, but they can be as damaging as any malicious entity.
When accidents happen – some examples of the “oops” side of cybersecurity
When looking at the causes behind a cybersecurity incident, being able to classify the type of incident is a good place to start. Here are some of the many ways that accidents can result in a cybersecurity event:
Lost data, documents, and devices: The news often contains articles which talk about some politician or other leaving sensitive documents on a train. One such incident involved top-secret Brexit documents being left on a Eurostar train by Prime Minister advisor, Olly Robbins. In another incident, the Crown Prosecution Service was fined £325,000 for losing highly sensitive DVDs containing interviews with victims of crime.
Accidental insider threats: A 2017 Global Threat Intelligence Center report, found that 75% of insider threats were accidental. Accidental insider threats cover a lot of ground. They include everything from writing a password down on a notepad to forgetting to patch personal devices used for work purposes.
Accidental email leaks: You know the sinking feeling where you’ve clicked “reply all” but you actually meant to email it to the original sender only? This event is more common than you’d think and is a way that security breaches occur. In 2017, 269 billion emails were sent daily. This opens the door for a lot of mistakes. The UK’s Information Commissioner’s Office (ICO) found that errant emails were behind many of the data losses in an organisation.
Loose tongues: In part one of this series, we talked about attack types that take advantage of human behaviour. The initiation of socially engineered cyber-attacks often starts with employee surveillance. This includes creating a relationship, by email or phone, with an employee, to extract information. Employees can innocently give out company or even personal details that will be used to compromise an organisation. The scam of Business Email Compromise (BEC) is based on this type of manipulation of human behaviour.
5 ways to triage your cybersecurity accident and emergency
Accidents happen, and they can result in major breaches at your organisation. An accidental breach is also no excuse for non-compliance with regulations such as GDPR or the Data Protection Act (DPA) – you will be fined whatever the reason for the breach. There are ways to reduce the likelihood that an accidental cybersecurity incident will occur. This list of 5 ways to help prevent an accident will help you to reduce your cyber-risk:
- Security awareness for all employees: Make sure that your employees are aware of how accidents can contribute to data breaches and other security problems. Being aware of how your security risk increases can help to change the behaviour behind the risk.
- Automate policies wherever possible: Don’t leave pushing out critical patches and other updates to chance (and individual users). If at all possible, implement an automated patch roll-out system.
- Implement second factor for logins: Where an option to apply a second factor for login is available, use it. This means that even if an employee leaves a password vulnerable to theft, the password will be useless without the second factor.
- Use encryption for data at rest: Implement automated encryption for hard disks, especially for laptops that are regularly taken out of the office.
- Protect emails: If you have emails which may contain sensitive information or personal data you need to have sound policies which prevent data loss by accidental email replies, etc. This can include the use of data loss prevention (DLP) technology which can catch emails that are being sent outside of configured company policies.